title | intro | permissions | versions | type | topics | shortTitle | redirect_from | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Managing privately reported security vulnerabilities |
Repository maintainers can manage security vulnerabilities that have been privately reported to them by security researchers for repositories where private vulnerability reporting is enabled. |
Anyone with admin permissions to a repository can see, review, and manage privately-reported vulnerabilities for the repository. |
|
how_to |
|
Manage vulnerability reports |
|
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.
When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.
{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}
For more information about configuring notification preferences, see "AUTOTITLE."
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-advisories %}
-
Click the advisory you want to review. An advisory that was reported privately has a status of
Triage
. -
Carefully review the report, then choose how to proceed.
-
To collaborate on a patch in private, click Start a temporary private fork to create a place for further discussions with the contributor. This does not change the status of the proposed advisory from
Triage
. -
To accept the reported vulnerability, click Accept and open as draft to accept the vulnerability report as a draft advisory on {% data variables.product.prodname_dotcom %}. If you choose this option:
- This doesn't make the report public.
- The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create. For more information on security advisories, see "AUTOTITLE."
-
To ask for more information, or to open a discussion with the reporter, you can comment on the advisory. Any comments are visible only to the reporter and to any collaborators on the advisory.
-
If you have enough information to determine that the problem the reporter describes is not a security risk, click Close security advisory. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory.
-