Skip to content
Report missing advisories and corrections on OSS Index
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Apr 16, 2019

OSS Index Vulnerability Reporting

This repository is intended for reports of:

  • Advisories missing from OSS Index
  • Issues with vulnerabilities reported by OSS Index
  • Zero days: Not directly supported here, but please submit them to the Central Security Project whereupon they will find their way into OSS Index.

Thank you for the help!

##What is an advisory, and how do I submit one?

An advisory is a vulnerability which is reported somewhere on the internet. It might be reported as:

  • A vulnerability on a vulnerability list somewhere
  • A security advisory published by a product owner
  • A note in a readme
  • A GitHub, Bugzilla, JIRA, or other issue against a project

To submit an advisory, create an issue which contains the following information. Note that the more fields you provide, the faster we will be able to add the advisory to our catelog. At a minimum the URL field is required:

Issue Title:

Advisory: <A brief description of the advisory>

Issue body:

  URL: <Advisory URL>
  format: <Ecosystem name, eg. maven, npm, nuget, pypi, rubygem, etc.>
  namespace: <maven groupid, npm scope, etc.>
  name: <package name>
  versions: <Version range affected by the vulnerability>

##How do I report other problems in OSS Index data?

Sometimes OSS Index has false positives, or reported vulnerabilities are incomplete.

Issue Title:

Bug: <OSS Index vulnerability URL>

Issue body. Provide a description of the problem:

  <description of problem>
You can’t perform that action at this time.