Process to create new advisories?

[maitre-matt]

I am looking into adding entries for the malicious PyPI packages reported here:

• https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/
• https://jfrog.com/blog/python-malware-imitates-signed-pypi-traffic-in-novel-exfiltration-technique/

Would you have more details about what "Make your change to the advisory file" entails in CONTRIBUTING.md?

For instance:

• Should I create files under advisories/unreviewed or advisories/github-reviewed? Are files moved from one folder to the other automatically?
• How do I come up with the folder/file name (ex: GHSA-6346-5r4h-ff5x)?

Happy to send a PR on CONTRIBUTING.md to include the guidance received here.

[KateCatlin]

Hi @maitre-matt!

Unfortunately, this database does not support new entries and new advisories can not be reported here. This database is exclusively for editing and updating the advisories we already have existing.

We are brainstorming about how to report net new advisories, but that will happen via a separate process.

Sorry about the confusion there! I'll follow up by email.

Thanks for all your work for our community,

Kate