jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-22 19:34:15 -05:00
Code Issues Projects Releases Wiki Activity

Group user docs on code security into a new "product" (#18196)

Browse Source
This commit is contained in:
Felicity Chapman
2021-03-16 17:25:29 +00:00
committed by GitHub
parent 8f63a4450c
commit 024014740b
96 changed files with 2747 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
content/code-security/security-advisories/about-github-security-advisories.md Normal file
View File

@@ -0,0 +1,47 @@
---
title: About GitHub Security Advisories
intro: 'You can use {% data variables.product.prodname_security_advisories %} to privately discuss, fix, and publish information about security vulnerabilities in your repository.'
redirect_from:
- /articles/about-maintainer-security-advisories
- /github/managing-security-vulnerabilities/about-maintainer-security-advisories
- /github/managing-security-vulnerabilities/about-github-security-advisories
versions:
free-pro-team: '*'
---
{% data reusables.repositories.security-advisory-admin-permissions %}
{% data reusables.security-advisory.security-researcher-cannot-create-advisory %}
### About {% data variables.product.prodname_security_advisories %}
{% data variables.product.prodname_security_advisories %} allows repository maintainers to privately discuss and fix a security vulnerability in a project. After collaborating on a fix, repository maintainers can publish the security advisory to publicly disclose the security vulnerability to the project's community. By publishing security advisories, repository maintainers make it easier for their community to update package dependencies and research the impact of the security vulnerabilities.
With {% data variables.product.prodname_security_advisories %}, you can:
1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project.
2. Privately collaborate to fix the vulnerability in a temporary private fork.
3. Publish the security advisory to alert your community of the vulnerability.
{% data reusables.repositories.security-advisories-republishing %}
To get started, see "[Creating a security advisory](/github/managing-security-vulnerabilities/creating-a-security-advisory)."
You can give credit to individuals who contributed to a security advisory. For more information, see "[Editing a security advisory](/github/managing-security-vulnerabilities/editing-a-security-advisory#about-credits-for-security-advisories)."
{% data reusables.repositories.security-guidelines %}
{% data reusables.repositories.github-security-lab %}
### CVE identification numbers
{% data variables.product.prodname_security_advisories %} builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list. {% data variables.product.prodname_dotcom %} is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see "[About CVE](https://cve.mitre.org/about/index.html)" and "[CVE Numbering Authorities](https://cve.mitre.org/cve/cna.html)" on the CVE website.
When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %}
Once you've published the security advisory and {% data variables.product.prodname_dotcom %} has assigned a CVE identification number to the vulnerability, {% data variables.product.prodname_dotcom %} publishes the CVE to the MITRE database.
For more information, see "[Publishing a security advisory](/github/managing-security-vulnerabilities/publishing-a-security-advisory#requesting-a-cve-identification-number)."
### {% data variables.product.prodname_dependabot_alerts %} for published security advisories
{% data reusables.repositories.github-reviews-security-advisories %}

37
content/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory.md Normal file
View File

@@ -0,0 +1,37 @@
---
title: Adding a collaborator to a security advisory
intro: You can add other users or teams to collaborate on a security advisory with you.
redirect_from:
- /articles/adding-a-collaborator-to-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/adding-a-collaborator-to-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory
versions:
free-pro-team: '*'
---
People with admin permissions to a security advisory can add collaborators to the security advisory.
### Adding a collaborator to a security advisory
Collaborators have write permissions to the security advisory. For more information, see "[Permission levels for security advisories](/github/managing-security-vulnerabilities/permission-levels-for-security-advisories)."
{% note %}
{% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[Removing a collaborator from a security advisory](/github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory)."
{% endnote %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to add a collaborator to.
5. On the right side of the page, under "Collaborators", type the name of the user or team you'd like to add to the security advisory.
![Field to type user or team name](/assets/images/help/security/add-collaborator-field.png)
6. Click **Add**.
![Add button](/assets/images/help/security/security-advisory-add-collaborator-button.png)
### Further reading
- "[Permission levels for security advisories](/github/managing-security-vulnerabilities/permission-levels-for-security-advisories)"
- "[Collaborating in a temporary private fork to resolve a security vulnerability](/github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)"
- "[Removing a collaborator from a security advisory](/github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory)"

45
content/code-security/security-advisories/adding-a-security-policy-to-your-repository.md Normal file
View File

@@ -0,0 +1,45 @@
---
title: Adding a security policy to your repository
intro: You can give instructions for how to responsibly report a security vulnerability in your project by adding a security policy to your repository.
redirect_from:
- /articles/adding-a-security-policy-to-your-repository
- /github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
versions:
free-pro-team: '*'
---
### About security policies
To give people instructions for responsibly reporting security vulnerabilities in your project, you can add a _SECURITY.md_ file to your repository's root, `docs`, or `.github` folder. When someone creates an issue in your repository, they will see a link to your project's security policy.
You can create a default security policy for your organization or user account. For more information, see "[Creating a default community health file](/github/building-a-strong-community/creating-a-default-community-health-file)."
{% tip %}
**Tip:** To help people find your security policy, you can link to your _SECURITY.md_ file from other places in your repository, such as your README file. For more information, see "[About READMEs](/articles/about-readmes)."
{% endtip %}
After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)."
{% data reusables.repositories.github-security-lab %}
### Adding a security policy to your repository
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
3. In the left sidebar, click **Policy**.
![Policy tab](/assets/images/help/security/policy-tab.png)
4. Click **Start setup**.
![Start setup button](/assets/images/help/security/start-setup-policy-button.png)
5. In the new _SECURITY.md_ file, add information about supported versions of your project and how to report a vulnerability.
{% data reusables.files.write_commit_message %}
{% data reusables.files.choose-commit-email %}
{% data reusables.files.choose_commit_branch %}
{% data reusables.files.propose_file_change %}
### Further reading
- "[About securing your repository](/github/administering-a-repository/about-securing-your-repository)"
- "[Setting up your project for healthy contributions](/github/building-a-strong-community/setting-up-your-project-for-healthy-contributions)"
- [{% data variables.product.prodname_security %}]({% data variables.product.prodname_security_link %})

84
content/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability.md Normal file
View File

@@ -0,0 +1,84 @@
---
title: Collaborating in a temporary private fork to resolve a security vulnerability
intro: You can create a temporary private fork to privately collaborate on fixing a security vulnerability in your repository.
redirect_from:
- /articles/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
- /github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
versions:
free-pro-team: '*'
---
### Prerequisites
Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[Creating a security advisory](/github/managing-security-vulnerabilities/creating-a-security-advisory)."
### Creating a temporary private fork
Anyone with admin permissions to a security advisory can create a temporary private fork.
To keep information about vulnerabilities secure, integrations, including CI, cannot access temporary private forks.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to create a temporary private fork in.
![Security advisory in list](/assets/images/help/security/security-advisory-in-list.png)
5. Click **New temporary private fork**.
![New temporary private fork button](/assets/images/help/security/new-temporary-private-fork-button.png)
### Adding collaborators to a temporary private fork
Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[Adding a collaborator to a security advisory](/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)."
### Adding changes to a temporary private fork
Anyone with write permissions to a security advisory can add changes to a temporary private fork.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to add changes to.
![Security advisory in list](/assets/images/help/security/security-advisory-in-list.png)
5. Add your changes on {% data variables.product.product_name %} or locally:
- To add changes on {% data variables.product.product_name %}, under "Add changes to this advisory", click **the temporary private fork**. Then, create a new branch and edit files. For more information, see "[Creating and deleting branches within your repository](/articles/creating-and-deleting-branches-within-your-repository)" and "[Editing files in your repository](/articles/editing-files-in-your-repository)."
- To add changes locally, follow the instructions under "Clone and create a new branch" and "Make your changes, then push."
![Add changes to this advisory box](/assets/images/help/security/add-changes-to-this-advisory-box.png)
### Creating a pull request from a temporary private fork
Anyone with write permissions to a security advisory can create a pull request from a temporary private fork.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to create a pull request in.
![Security advisory in list](/assets/images/help/security/security-advisory-in-list.png)
5. To the right of your branch name, click **Compare & pull request**.
![Compare & pull request button](/assets/images/help/security/security-advisory-compare-and-pr.png)
{% data reusables.repositories.pr-title-description %}
{% data reusables.repositories.create-pull-request %}
{% data reusables.repositories.merge-all-pulls-together %} For more information, see "[Merging changes in a security advisory](#merging-changes-in-a-security-advisory)."
### Merging changes in a security advisory
Anyone with admin permissions to a security advisory can merge changes in a security advisory.
{% data reusables.repositories.merge-all-pulls-together %}
Before you can merge changes in a security advisory, every open pull request in the temporary private fork must be mergeable. There can be no merge conflicts, and branch protection requirements must be satisfied. To keep information about vulnerabilities secure, status checks do not run on pull requests in temporary private forks. For more information, see "[About protected branches](/articles/about-protected-branches)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory with changes you'd like to merge.
![Security advisory in list](/assets/images/help/security/security-advisory-in-list.png)
5. To merge all open pull requests in the temporary private fork, click **Merge pull requests**.
![Merge pull requests button](/assets/images/help/security/merge-pull-requests-button.png)
After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[Publishing a security advisory](/github/managing-security-vulnerabilities/publishing-a-security-advisory)."
### Further reading
- "[Permission levels for security advisories](/github/managing-security-vulnerabilities/permission-levels-for-security-advisories)"
- "[Publishing a security advisory](/github/managing-security-vulnerabilities/publishing-a-security-advisory)"

37
content/code-security/security-advisories/creating-a-security-advisory.md Normal file
View File

@@ -0,0 +1,37 @@
---
title: Creating a security advisory
intro: You can create a draft security advisory to privately discuss and fix a security vulnerability in your open source project.
redirect_from:
- /articles/creating-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/creating-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/creating-a-security-advisory
versions:
free-pro-team: '*'
---
Anyone with admin permissions to a repository can create a security advisory.
{% data reusables.security-advisory.security-researcher-cannot-create-advisory %}
### Creating a security advisory
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. Click **New draft security advisory**.
![Open draft advisory button](/assets/images/help/security/security-advisory-new-draft-security-advisory-button.png)
5. Type a title for your security advisory.
{% data reusables.repositories.security-advisory-edit-details %}
{% data reusables.repositories.security-advisory-edit-severity %}
{% data reusables.repositories.security-advisory-edit-cwe-cve %}
{% data reusables.repositories.security-advisory-edit-description %}
11. Click **Create draft security advisory**.
![Create security advisory button](/assets/images/help/security/security-advisory-create-security-advisory-button.png)
### Next steps
- Comment on the draft security advisory to discuss the vulnerability with your team.
- Add collaborators to the security advisory. For more information, see "[Adding a collaborator to a security advisory](/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-maintainer-security-advisory)."
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[Collaborating in a temporary private fork to resolve a security vulnerability](/github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)."
- Add individuals who should receive credit for contributing to the security advisory. For more information, see "[Editing a security advisory](/github/managing-security-vulnerabilities/editing-a-security-advisory#about-credits-for-security-advisories)."
- Publish the security advisory to notify your community of the security vulnerability. For more information, see "[Publishing a security advisory](/github/managing-security-vulnerabilities/publishing-a-security-advisory)."

38
content/code-security/security-advisories/editing-a-security-advisory.md Normal file
View File

@@ -0,0 +1,38 @@
---
title: Editing a security advisory
intro: You can edit the metadata and description for a security advisory if you need to update details or correct errors.
redirect_from:
- /github/managing-security-vulnerabilities/editing-a-security-advisory
versions:
free-pro-team: '*'
---
People with admin permissions to a security advisory can edit the security advisory.
### About credits for security advisories
You can credit people who helped discover, report, or fix a security vulnerability. If you credit someone, they can choose to accept or decline credit.
If someone accepts credit, the person's username appears in the "Credits" section of the security advisory. Anyone with read access to the repository can see the advisory and the people who accepted credit for it.
### Editing a security advisory
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to edit.
5. In the upper-right corner of the details for the security advisory, click {% octicon "pencil" aria-label="The edit icon" %}.
![Edit button for a security advisory](/assets/images/help/security/security-advisory-edit-button.png)
{% data reusables.repositories.security-advisory-edit-details %}
{% data reusables.repositories.security-advisory-edit-severity %}
{% data reusables.repositories.security-advisory-edit-cwe-cve %}
{% data reusables.repositories.security-advisory-edit-description %}
11. Optionally, edit the "Credits" for the security advisory.
![Credits for a security advisory](/assets/images/help/security/security-advisory-credits.png)
12. Click **Update security advisory**.
![Add button](/assets/images/help/security/update-advisory-button.png)
13. The people listed in the "Credits" section will receive an email or web notification inviting them to accept credit. If a person accepts, their username will be publicly visible once the security advisory is published.
### Further reading
- "[Withdrawing a security advisory](/github/managing-security-vulnerabilities/withdrawing-a-security-advisory)"

23
content/code-security/security-advisories/index.md Normal file
View File

@@ -0,0 +1,23 @@
---
title: Managing security advisories for vulnerabilities in your project
shortTitle: Security advisories
intro: 'Discuss, fix, and disclose security vulnerabilities in your repositories using security advisories.'
redirect_from:
- /articles/managing-security-vulnerabilities-in-your-project
- /github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project
versions:
free-pro-team: '*'
---
### Table of Contents
{% link_in_list /adding-a-security-policy-to-your-repository %}
{% link_in_list /about-github-security-advisories %}
{% link_in_list /permission-levels-for-security-advisories %}
{% link_in_list /creating-a-security-advisory %}
{% link_in_list /adding-a-collaborator-to-a-security-advisory %}
{% link_in_list /removing-a-collaborator-from-a-security-advisory %}
{% link_in_list /collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability %}
{% link_in_list /publishing-a-security-advisory %}
{% link_in_list /editing-a-security-advisory %}
{% link_in_list /withdrawing-a-security-advisory %}

35
content/code-security/security-advisories/permission-levels-for-security-advisories.md Normal file
View File

@@ -0,0 +1,35 @@
---
title: Permission levels for security advisories
intro: The actions you can take in a security advisory depend on whether you have admin or write permissions to the security advisory.
redirect_from:
- /articles/permission-levels-for-maintainer-security-advisories
- /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories
- /github/managing-security-vulnerabilities/permission-levels-for-security-advisories
versions:
free-pro-team: '*'
---
### Permissions overview
{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[Adding a collaborator to a security advisory](/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)."
Action | Write permissions | Admin permissions |
------ | ----------------- | ----------------- |
See a draft security advisory | X | X |
Add collaborators to the security advisory (see "[Adding a collaborator to a security advisory](/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)") | | X |
Edit and delete any comments in the security advisory | X | X |
Create a temporary private fork in the security advisory (see "[Collaborating in a temporary private fork to resolve a security vulnerability](/articles/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)") | | X |
Add changes to a temporary private fork in the security advisory (see "[Collaborating in a temporary private fork to resolve a security vulnerability](/articles/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)") | X | X |
Create pull requests in a temporary private fork (see "[Collaborating in a temporary private fork to resolve a security vulnerability](/github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)") | X | X |
Merge changes in the security advisory (see "[Collaborating in a temporary private fork to resolve a security vulnerability](/articles/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)") | | X |
Add and edit metadata in the security advisory (see "[Publishing a security advisory](/github/managing-security-vulnerabilities/publishing-a-security-advisory)") | X | X |
Add and remove credits for a security advisory (see "[Editing a security advisory](/github/managing-security-vulnerabilities/editing-a-security-advisory#about-credits-for-security-advisories)") | X | X |
Close the draft security advisory | | X |
Publish the security advisory (see "[Publishing a security advisory](/github/managing-security-vulnerabilities/publishing-a-security-advisory)") | | X |
### Further reading
- "[Adding a collaborator to a security advisory](/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)"
- "[Collaborating in a temporary private fork to resolve a security vulnerability](/github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)"
- "[Removing a collaborator from a security advisory](/github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory)"
- "[Withdrawing a security advisory](/github/managing-security-vulnerabilities/withdrawing-a-security-advisory)"

90
content/code-security/security-advisories/publishing-a-security-advisory.md Normal file
View File

@@ -0,0 +1,90 @@
---
title: Publishing a security advisory
intro: You can publish a security advisory to alert your community about a security vulnerability in your project.
redirect_from:
- /articles/publishing-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/publishing-a-maintainer-security-advisory
- /github/managing-security-vulnerabilities/publishing-a-security-advisory
versions:
free-pro-team: '*'
---
<!--Marketing-LINK: From /features/security/software-supply-chain page "Publishing a security advisory".-->
Anyone with admin permissions to a security advisory can publish the security advisory.
### Prerequisites
Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[Creating a security advisory](/github/managing-security-vulnerabilities/creating-a-security-advisory)."
If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[Editing a security advisory](/github/managing-security-vulnerabilities/editing-a-security-advisory)."
### About publishing a security advisory
When you publish a security advisory, you notify your community about the security vulnerability that the security advisory addresses. Publishing a security advisory makes it easier for your community to update package dependencies and research the impact of the security vulnerability.
{% data reusables.repositories.security-advisories-republishing %}
Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[Collaborating in a temporary private fork to resolve a security vulnerability](/articles/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability)."
{% warning %}
**Warning**: Whenever possible, you should always add a fix version to a security advisory prior to publishing the advisory. If you don't, the advisory will be published without a fixed version, and {% data variables.product.prodname_dependabot %} will alert your users about the issue, without offering any safe version to update to.
We recommend you take the following steps in these different situations:
- If a fix version is imminently available, and you are able to, wait to disclose the issue when the fix is ready.
- If a fix version is in development but not yet available, mention this in the advisory, and edit the advisory later, after publication.
- If you are not planning to fix the issue, be clear about it in the advisory so that your users don't contact you to ask when a fix will be made. In this case, it is helpful to include steps users can take to mitigate the issue.
{% endwarning %}
When you publish a draft advisory from a public repository, everyone is able to see:
- The current version of the advisory data.
- Any advisory credits that the credited users have accepted.
{% note %}
**Note**: The general public will never have access to the edit history of the advisory, and will only see the published version.
{% endnote %}
After you publish a security advisory, the URL for the security advisory will remain the same as before you published the security advisory. Anyone with read access to the repository can see the security advisory. Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory.
If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[Editing a security advisory](/github/managing-security-vulnerabilities/editing-a-security-advisory)."
### Requesting a CVE identification number
Anyone with admin permissions to a security advisory can request a CVE identification number for the security advisory.
{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories#cve-identification-numbers)."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to request a CVE identification number for.
![Security advisory in list](/assets/images/help/security/security-advisory-in-list.png)
5. Use the **Publish advisory** drop-down menu, and click **Request CVE**.
![Request CVE in drop-down](/assets/images/help/security/security-advisory-drop-down-request-cve.png)
6. Click **Request CVE**.
![Request CVE button](/assets/images/help/security/security-advisory-request-cve-button.png)
### Publishing a security advisory
Publishing a security advisory deletes the temporary private fork for the security advisory.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to publish.
![Security advisory in list](/assets/images/help/security/security-advisory-in-list.png)
5. At the bottom of the page, click **Publish advisory**.
![Publish advisory button](/assets/images/help/security/publish-advisory-button.png)
### {% data variables.product.prodname_dependabot_alerts %} for published security advisories
{% data reusables.repositories.github-reviews-security-advisories %}
### Further reading
- "[Withdrawing a security advisory](/github/managing-security-vulnerabilities/withdrawing-a-security-advisory)"

29
content/code-security/security-advisories/removing-a-collaborator-from-a-security-advisory.md Normal file
View File

@@ -0,0 +1,29 @@
---
title: Removing a collaborator from a security advisory
intro: 'When you remove a collaborator from a security advisory, they lose read and write access to the security advisory''s discussion and metadata.'
redirect_from:
- /github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory
versions:
free-pro-team: '*'
---
People with admin permissions to a security advisory can remove collaborators from the security advisory.
### Removing a collaborator from a security advisory
{% data reusables.repositories.security-advisory-collaborators-public-repositories %}
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to remove a collaborator from.
![Security advisory in list](/assets/images/help/security/security-advisory-in-list.png)
5. On the right side of the page, under "Collaborators", find the name of the user or team you'd like to remove from the security advisory.
![Security advisory collaborator](/assets/images/help/security/security-advisory-collaborator.png)
6. Next to the collaborator you want to remove, click the **X** icon.
![X icon to remove security advisory collaborator](/assets/images/help/security/security-advisory-remove-collaborator-x.png)
### Further reading
- "[Permission levels for security advisories](/github/managing-security-vulnerabilities/permission-levels-for-security-advisories)"
- "[Adding a collaborator to a security advisory](/github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory)"

14
content/code-security/security-advisories/withdrawing-a-security-advisory.md Normal file
View File

@@ -0,0 +1,14 @@
---
title: Withdrawing a security advisory
intro: You can withdraw a security advisory that you've published.
redirect_from:
- /github/managing-security-vulnerabilities/withdrawing-a-security-advisory
versions:
free-pro-team: '*'
---
If you publish a security advisory in error, you can withdraw the security advisory by contacting {% data variables.contact.contact_support %}.
### Further reading
- [Editing a security advisory](/github/managing-security-vulnerabilities/editing-a-security-advisory)