GitHub launches channel to facilitate vulnerability disclosure process for open source software


GitHub, the world’s largest open source software development community, has launched a communication channel on the platform to make it easier for security researchers to report vulnerabilities to project maintainers.

Vulnerability reports have always been complicated. While researchers often feel responsible for notifying users of bugs that could be exploited, there are no clear instructions on how to contact project maintainers. Additionally, many open source projects are managed and supported by small groups of volunteers who update or fix problematic code in their spare time.

The feature – announced Wednesday at GitHub Universe 2022, a global developer event for cloud, security, community and AI – allows researchers to report bugs to maintainers directly and privately.

“Private Vulnerability Reporting is a collaborative solution for security researchers and open source maintainers to report and fix vulnerabilities in open source repositories. It provides a convenient, standardized, and secret way to report, assess, and address vulnerabilities,” GitHub CEO Thomas Dohmke said in a statement. Publish.

Justin Hutchings, director of product management at GitHub, told SC Media that in the past, because it was difficult to find correct contact information, security researchers always reported vulnerabilities on social media or even created public issues, which could potentially lead to public issues. disclosure of vulnerability details.

“When disclosures happen publicly, officials don’t have time to fix the issues before the bad actors have a chance to hear about it,” Hutchings explained.

With the new feature, when a researcher reports an issue, managers will be notified on the platform and they can choose to accept it, ask more questions, or reject it. This way, maintainers will have more control over how vulnerability details are communicated by researchers, while reducing instances where maintainers are contacted publicly or through undesirable means. GitHub also thinks it will be less likely for vulnerabilities to be exposed to the public before patches.

According to Hutchings, reporting private vulnerabilities is free and anyone can now sign up for the public beta. The team plans to make it generally available in early 2023.

Tim Mackey, senior security strategist at Synopsys, said the new feature is promising.

“While large organizations are likely to have ways for researchers to responsibly report vulnerabilities, open source projects, and especially small open source projects, lack the resources to properly manage workflows to receive , respond to and process a safety report – and do so confidentially,” he told SC Media in an email.

“It’s great to see GitHub take this important step. Enabling open source contributors to support their projects easily and securely helps us all move towards greater security,” added Tzachi Zornstain, Chief Security Officer supply chain at Checkmarx.

While a communication channel improves the likelihood of positive outcomes in the disclosure process, Jamie Scott, Founding Product Manager at Endor Labs, cautioned that it also comes with greater ethical responsibility among open-source community.

By collecting vulnerabilities on the platform, Scott said GitHub now becomes “an arbiter” and “the holder of a vast wealth of security information”. “With this comes an ethical responsibility that GitHub must take seriously to protect information,” he told SC Media in an email.

Additionally, Scott said the community should also standardize timelines for disclosing vulnerabilities to the public if no action is taken on them.


Comments are closed.