This commit is contained in:
Anne-Marie
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/security-advisories/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -52,7 +53,7 @@ Publishing the details of a security vulnerability doesn't make maintainers look
|
||||
|
||||
There are two processes available on {% data variables.product.prodname_dotcom %}:
|
||||
|
||||
- The standard process: Vulnerability reporters get in touch with the repository maintainers, using contact information located in the security policy for the repository. The repository maintainers then create a draft repository advisory if required.
|
||||
- The standard process: Vulnerability reporters get in touch with the repository maintainers, using contact information located in the security policy for the repository. The repository maintainers then create a draft repository advisory if required.
|
||||
- Private vulnerability reporting: Vulnerability reporters disclose vulnerability details directly and privately to the repository maintainers by proposing a draft repository advisory and providing details of their findings.
|
||||
|
||||
### Standard process
|
||||
@@ -73,15 +74,15 @@ The process for reporting and disclosing vulnerabilities for projects on {% data
|
||||
|
||||
If you are a maintainer, you can take ownership of the process at the very beginning of the pipeline by setting up a security policy for your repository, or otherwise making security reporting instructions clearly available, for example in your project’s README file. For information about adding a security policy, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository#about-security-policies)." If there is no security policy, it's likely that a vulnerability reporter will try to email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue.
|
||||
|
||||
As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
As a maintainer, to disclose a vulnerability in your code, you first create a draft security advisory in the package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
||||
To get started, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
To get started, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
### Private vulnerability reporting
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
|
||||
|
||||
Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities)", respectively.
|
||||
Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within {% data variables.product.prodname_dotcom %}, and in a way that immediately notifies the repository maintainers of the issue. For more information for security researchers and repository maintainers, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)" and "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities)", respectively.
|
||||
|
||||
{% note %}
|
||||
|
||||
@@ -11,6 +11,7 @@ topics:
|
||||
shortTitle: Best practices
|
||||
redirect_from:
|
||||
- /code-security/repository-security-advisories/best-practices-for-writing-repository-security-advisories
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories
|
||||
---
|
||||
|
||||
Anyone with admin permissions to a repository can create and edit a security advisory.
|
||||
@@ -19,7 +20,7 @@ Anyone with admin permissions to a repository can create and edit a security adv
|
||||
|
||||
## About security advisories for repositories
|
||||
|
||||
{% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
{% data reusables.security-advisory.security-advisory-overview %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
|
||||
## Best practices
|
||||
|
||||
@@ -30,13 +31,13 @@ If you follow the syntax for the {% data variables.product.prodname_advisory_dat
|
||||
- {% data variables.product.prodname_dependabot %} will have the information to accurately identify repositories that are affected and send them {% data variables.product.prodname_dependabot_alerts %} to notify them.
|
||||
- Community members are less likely to suggest edits to your advisory to fix missing or incorrect information.
|
||||
|
||||
You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
You add or edit a repository advisory using the _Draft security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
You suggest an improvement to an existing global advisory using the _Improve security advisory_ form. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
### Ecosystem
|
||||
|
||||
You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database#github-reviewed-advisories)."
|
||||
You need to assign the advisory to one of our supported ecosystems using the **Ecosystem** field. For more information about the ecosystems we support, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database#github-reviewed-advisories)."
|
||||
|
||||
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
title: Guidance on reporting and writing information about vulnerabilities
|
||||
shortTitle: Guidance on reporting and writing
|
||||
intro: Best practices for writing security advisories and managing privately reported security vulnerabilities.
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -16,4 +18,3 @@ children:
|
||||
- /privately-reporting-a-security-vulnerability
|
||||
- /managing-privately-reported-security-vulnerabilities
|
||||
---
|
||||
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Manage vulnerability reports
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities
|
||||
---
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
|
||||
@@ -24,13 +26,13 @@ When a security researcher reports a vulnerability privately, you are notified a
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}
|
||||
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
{% data reusables.repositories.sidebar-advisories %}
|
||||
1. Click the advisory you want to review. An advisory that was reported privately has a status of `Triage`.
|
||||
|
||||
|
||||
|
||||
|
||||
1. Carefully review the report, then choose how to proceed.
|
||||
@@ -38,7 +40,7 @@ For more information about configuring notification preferences, see "[AUTOTITLE
|
||||
- To accept the reported vulnerability, click **Accept and open as draft** to accept the vulnerability report as a draft advisory on {% data variables.product.prodname_dotcom %}. If you choose this option:
|
||||
- This doesn't make the report public.
|
||||
- The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create.
|
||||
For more information on security advisories, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."
|
||||
For more information on security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."
|
||||
- To ask for more information, or to open a discussion with the reporter, you can comment on the advisory. Any comments are visible only to the reporter and to any collaborators on the advisory.
|
||||
- If you have enough information to determine that the problem the reporter describes is not a security risk, click **Close security advisory**. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory.
|
||||
|
||||
@@ -9,14 +9,16 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Privately reporting
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
|
||||
---
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
- If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
**Notes:**
|
||||
- If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
- The ability to privately report a vulnerability in a repository is not related to the presence of a `SECURITY.md` file in that repository's root or `docs` directory.
|
||||
- The `SECURITY.md` file contains the security policy for the repository. Repository administrators can add and use this file to provide _public_ instructions for how to report a security vulnerability in their repository. For more information, see "[AUTOTITLE](/code-security/getting-started/adding-a-security-policy-to-your-repository)."
|
||||
- You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the `SECURITY.md` file. This reporting process is fully private, and {% data variables.product.prodname_dotcom %} notifies the repository administrators directly about your submission.
|
||||
@@ -38,8 +40,8 @@ For security researchers, the benefits of using private vulnerability reporting
|
||||
|
||||
## Privately reporting a security vulnerability
|
||||
|
||||
If you do not have admin or security permissions for a public repository, you can still privately report a security vulnerability to repository maintainers. You can also evaluate the general security of a public repository and suggest a security policy. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/evaluating-the-security-settings-of-a-repository)."
|
||||
If you do not have admin or security permissions for a public repository, you can still privately report a security vulnerability to repository maintainers. You can also evaluate the general security of a public repository and suggest a security policy. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/evaluating-the-security-settings-of-a-repository)."
|
||||
|
||||
{% data reusables.security-advisory.reporting-a-vulnerability-non-admin %}
|
||||
|
||||
The next steps depend on the action taken by the repository maintainer. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities)."
|
||||
The next steps depend on the action taken by the repository maintainer. For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities)."
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
title: Working with security advisories
|
||||
shortTitle: Security advisories
|
||||
allowTitleToDifferFromFilename: true
|
||||
intro: 'Learn how to work with security advisories on {% data variables.product.prodname_dotcom %},{% ifversion fpt or ghec %} whether you want to contribute to an existing global advisory, or create a security advisory for a repository,{% endif %} improving collaboration between repository maintainers and security researchers.'
|
||||
versions:
|
||||
fpt: '*'
|
||||
@@ -13,8 +14,7 @@ topics:
|
||||
- Repositories
|
||||
- CVEs
|
||||
children:
|
||||
- /global-security-advisories
|
||||
- /repository-security-advisories
|
||||
- /guidance-on-reporting-and-writing
|
||||
- /working-with-global-security-advisories-from-the-github-advisory-database
|
||||
- /working-with-repository-security-advisories
|
||||
- /guidance-on-reporting-and-writing-information-about-vulnerabilities
|
||||
---
|
||||
|
||||
|
||||
@@ -1,45 +0,0 @@
|
||||
---
|
||||
title: Permission levels for repository security advisories
|
||||
intro: The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
|
||||
redirect_from:
|
||||
- /articles/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-security-advisories
|
||||
- /code-security/security-advisories/permission-levels-for-security-advisories
|
||||
- /code-security/repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
type: reference
|
||||
topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
- Permissions
|
||||
shortTitle: Permission levels
|
||||
---
|
||||
This article applies only to repository-level security advisories. Anyone can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
## Permissions overview
|
||||
|
||||
{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
|
||||
Action | Write permissions | Admin permissions |
|
||||
------ | ----------------- | ----------------- |
|
||||
See a draft security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add collaborators to the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Edit and delete any comments in the security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add changes to a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create pull requests in a temporary private fork (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Merge changes in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and edit metadata in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and remove credits for a security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Close the draft security advisory | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Publish the security advisory (see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -12,22 +12,24 @@ topics:
|
||||
- Alerts
|
||||
- Vulnerabilities
|
||||
- CVEs
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/global-security-advisories/about-global-security-advisories
|
||||
---
|
||||
|
||||
## About global security advisories
|
||||
|
||||
{% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)."{% endif %}
|
||||
{% ifversion fpt or ghec %}There are two types of advisories: global security advisories and repository security advisories. For more information about repository security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories)."{% endif %}
|
||||
|
||||
Global security advisories are grouped into two categories: {% data variables.product.company_short %}-reviewed advisories and unreviewed advisories.
|
||||
- {% data variables.product.company_short %}-reviewed advisories are security vulnerabilities{% ifversion GH-advisory-db-supports-malware %} or malware{% endif %} that have been mapped to packages in ecosystems we support.
|
||||
- Unreviewed advisories are security vulnerabilites that we publish automatically into the {% data variables.product.prodname_advisory_database %}, directly from the National Vulnerability Database feed.
|
||||
|
||||
For more information about the {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database)."
|
||||
For more information about the {% data variables.product.prodname_advisory_database %}, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database)."
|
||||
|
||||
{% data reusables.security-advisory.global-advisories %}
|
||||
|
||||
Every repository advisory is reviewed by the {% data variables.product.prodname_security %} curation team for consideration as a global advisory. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories).
|
||||
|
||||
You can access any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
You can access any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/browsing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
@@ -12,6 +12,8 @@ topics:
|
||||
- Alerts
|
||||
- Vulnerabilities
|
||||
- CVEs
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/global-security-advisories/about-the-github-advisory-database
|
||||
---
|
||||
|
||||
## About the {% data variables.product.prodname_advisory_database %}
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/browsing-security-vulnerabilities-in-the-github-advisory-database
|
||||
- /code-security/dependabot/dependabot-alerts/browsing-security-vulnerabilities-in-the-github-advisory-database
|
||||
- /code-security/dependabot/dependabot-alerts/browsing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/security-advisories/global-security-advisories/browsing-security-advisories-in-the-github-advisory-database
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -45,7 +46,7 @@ Additionally, you can access the {% data variables.product.prodname_advisory_dat
|
||||
|
||||
## Editing an advisory in the {% data variables.product.prodname_advisory_database %}
|
||||
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
You can suggest improvements to any advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
## Searching the {% data variables.product.prodname_advisory_database %}
|
||||
|
||||
@@ -75,7 +76,7 @@ You can search the database, and use qualifiers to narrow your search. For examp
|
||||
| `created:YYYY-MM-DD`| [**created:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=created%3A2021-01-13) will show only advisories created on this date. |
|
||||
| `updated:YYYY-MM-DD`| [**updated:2021-01-13**](https://github.com/advisories?utf8=%E2%9C%93&query=updated%3A2021-01-13) will show only advisories updated on this date. |
|
||||
|
||||
A `GHSA-ID` qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see "[About the {% data variables.product.prodname_advisory_database %}](/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#about-ghsa-ids)."
|
||||
A `GHSA-ID` qualifier is a unique ID that we at {% data variables.product.prodname_dotcom %} automatically assign to every advisory in the {% data variables.product.prodname_advisory_database %}. For more information about these identifiers, see "[About the {% data variables.product.prodname_advisory_database %}](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids)."
|
||||
|
||||
## Viewing your vulnerable repositories
|
||||
|
||||
@@ -105,7 +106,7 @@ You can use your local advisory database to check whether a specific security vu
|
||||
{% endnote %}
|
||||
1. Click an advisory to view details.{% ifversion GH-advisory-db-supports-malware %} By default, you will see {% data variables.product.company_short %}-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar.{% endif %}
|
||||
|
||||
You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database#editing-advisories-from-your-github-enterprise-server-instance)".
|
||||
You can also suggest improvements to any advisory directly from your local advisory database. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database#editing-advisories-from-your-github-enterprise-server-instance)".
|
||||
|
||||
### Viewing vulnerable repositories for {% data variables.location.product_location %}
|
||||
|
||||
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /code-security/security-advisories/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/dependabot/dependabot-alerts/editing-security-advisories-in-the-github-advisory-database
|
||||
- /code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -22,20 +23,20 @@ shortTitle: Edit Advisory Database
|
||||
|
||||
## Editing advisories in the {% data variables.product.prodname_advisory_database %}
|
||||
|
||||
The advisories in the {% data variables.product.prodname_advisory_database %} are global security advisories. For more information about global security advisories, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/about-global-security-advisories)."
|
||||
The advisories in the {% data variables.product.prodname_advisory_database %} are global security advisories. For more information about global security advisories, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-global-security-advisories)."
|
||||
|
||||
Anyone can suggest improvements on any global security advisory in the {% data variables.product.prodname_advisory_database %}. You can edit or add any detail, including additionally affected ecosystems, severity level or description of who is impacted. The {% data variables.product.prodname_security %} curation team will review the submitted improvements and publish them onto the {% data variables.product.prodname_advisory_database %} if accepted.
|
||||
|
||||
{% ifversion security-advisories-credit-types %}
|
||||
If we accept and publish the improvement, the person who submitted the improvement will automatically be assigned a credit type of "Analyst". For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."{% endif %}
|
||||
If we accept and publish the improvement, the person who submitted the improvement will automatically be assigned a credit type of "Analyst". For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."{% endif %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
Only repository owners and administrators can edit repository-level security advisories. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."{% endif %}
|
||||
Only repository owners and administrators can edit repository-level security advisories. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."{% endif %}
|
||||
|
||||
1. Navigate to https://github.com/advisories.
|
||||
1. Select the security advisory you would like to contribute to.
|
||||
1. On the right-hand side of the page, click the **Suggest improvements for this vulnerability** link.
|
||||
1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories)."{% endif %}{% ifversion security-advisories-reason-for-change %}
|
||||
1. In the "Improve security advisory" form, make the desired improvements. You can edit or add any detail.{% ifversion fpt or ghec %} For information about correctly specifying information on the form, including affected versions, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/best-practices-for-writing-repository-security-advisories)."{% endif %}{% ifversion security-advisories-reason-for-change %}
|
||||
1. Under **Reason for change**, explain why you want to make this improvement. If you include links to supporting material this will help our reviewers.
|
||||
{% endif %}
|
||||
1. When you finish editing the advisory, click **Submit improvements**.
|
||||
@@ -2,6 +2,8 @@
|
||||
title: Working with global security advisories from the GitHub Advisory Database
|
||||
shortTitle: Global security advisories
|
||||
intro: 'Browse the {% data variables.product.prodname_advisory_database %} and submit improvements to any global security advisory.'
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/global-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghes: '*'
|
||||
@@ -18,4 +20,3 @@ children:
|
||||
- /browsing-security-advisories-in-the-github-advisory-database
|
||||
- /editing-security-advisories-in-the-github-advisory-database
|
||||
---
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/about-github-security-advisories
|
||||
- /code-security/security-advisories/about-github-security-advisories
|
||||
- /code-security/repository-security-advisories/about-github-security-advisories-for-repositories
|
||||
- /code-security/security-advisories/repository-security-advisories/about-repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -24,15 +25,15 @@ topics:
|
||||
|
||||
## About repository security advisories
|
||||
|
||||
{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities)."
|
||||
{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "[AUTOTITLE](/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities)."
|
||||
|
||||
{% data reusables.security-advisory.security-advisory-overview %}
|
||||
|
||||
With repository security advisories, you can:
|
||||
|
||||
1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
1. Privately collaborate to fix the vulnerability in a temporary private fork.
|
||||
1. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
1. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
|
||||
{% data reusables.repositories.security-advisories-republishing %}
|
||||
|
||||
@@ -40,11 +41,11 @@ With repository security advisories, you can:
|
||||
You can also use the REST API to create, list, and update repository security advisories. For more information, see "[AUTOTITLE](/rest/security-advisories/repository-advisories)" in the REST API documentation.
|
||||
{% endif %}
|
||||
|
||||
You can give credit to individuals who contributed to a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
You can give credit to individuals who contributed to a security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
|
||||
{% data reusables.repositories.security-guidelines %}
|
||||
|
||||
If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/global-security-advisories/editing-security-advisories-in-the-github-advisory-database)."
|
||||
If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). Anyone can submit a change to an advisory published in the {% data variables.product.prodname_advisory_database %}. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
If a security advisory is specifically for npm, we also publish the advisory to the npm security advisories. For more information, see [npmjs.com/advisories](https://www.npmjs.com/advisories).
|
||||
|
||||
@@ -59,7 +60,7 @@ If a security advisory is specifically for npm, we also publish the advisory to
|
||||
When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %}
|
||||
|
||||
Once you've published the security advisory and {% data variables.product.prodname_dotcom %} has assigned a CVE identification number to the vulnerability, {% data variables.product.prodname_dotcom %} publishes the CVE to the MITRE database.
|
||||
For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
|
||||
## {% data variables.product.prodname_dependabot_alerts %} for published security advisories
|
||||
|
||||
@@ -7,6 +7,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/adding-a-collaborator-to-a-security-advisory
|
||||
- /code-security/security-advisories/adding-a-collaborator-to-a-security-advisory
|
||||
- /code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -24,11 +25,11 @@ People with admin permissions to a security advisory can add collaborators to th
|
||||
|
||||
## Adding a collaborator to a security advisory
|
||||
|
||||
Collaborators have write permissions to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)."
|
||||
Collaborators have write permissions to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)."
|
||||
|
||||
{% note %}
|
||||
|
||||
{% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
{% data reusables.repositories.security-advisory-collaborators-public-repositories %} For more information about removing a collaborator on a security advisory, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
@@ -42,6 +43,6 @@ Collaborators have write permissions to the security advisory. For more informat
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)."
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
|
||||
- /code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability
|
||||
- /code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
- /code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -22,7 +23,7 @@ shortTitle: Temporary private forks
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
Before you can collaborate in a temporary private fork, you must create a draft security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
## Creating a temporary private fork
|
||||
|
||||
@@ -51,7 +52,7 @@ For example, if you create a temporary private fork in a repository called `octo
|
||||
|
||||
## Adding collaborators to a temporary private fork
|
||||
|
||||
Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
Anyone with admin permissions to a security advisory can add additional collaborators to the security advisory, and collaborators on the security advisory can access the temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
|
||||
## Adding changes to a temporary private fork
|
||||
|
||||
@@ -107,9 +108,9 @@ Additionally, there can be no merge conflicts, and {% data variables.product.pro
|
||||
|
||||
{% endnote %}
|
||||
|
||||
After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
After you merge changes in a security advisory, you can publish the security advisory to alert your community about the security vulnerability in previous versions of your project. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)"
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Configure for a repository
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
|
||||
---
|
||||
|
||||
## About privately reporting a security vulnerability
|
||||
@@ -21,7 +23,7 @@ Security researchers often feel responsible for alerting users to a vulnerabilit
|
||||
For maintainers, the benefits of using private vulnerability reporting are:
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-benefits %}
|
||||
|
||||
The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization)."
|
||||
The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization)."
|
||||
|
||||
## Enabling or disabling private vulnerability reporting for a repository
|
||||
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Configure for an organization
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
|
||||
---
|
||||
|
||||
## About privately reporting a security vulnerability
|
||||
@@ -21,11 +23,11 @@ Security researchers often feel responsible for alerting users to a vulnerabilit
|
||||
For organization owners and security managers, the benefits of using private vulnerability reporting are:
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-benefits %}
|
||||
|
||||
The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
|
||||
The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
|
||||
|
||||
{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}
|
||||
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
For more information about configuring notification preferences, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting)."
|
||||
|
||||
## Enabling or disabling private vulnerability reporting for all the existing public repositories in an organization
|
||||
|
||||
@@ -8,6 +8,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/creating-a-security-advisory
|
||||
- /code-security/security-advisories/creating-a-security-advisory
|
||||
- /code-security/repository-security-advisories/creating-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -79,7 +80,7 @@ If someone accepts credit, the person's username appears in the "Credits" sectio
|
||||
## Next steps
|
||||
|
||||
- Comment on the draft security advisory to discuss the vulnerability with your team.
|
||||
- Add collaborators to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
- Add individuals who should receive credit for contributing to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
- Publish the security advisory to notify your community of the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
- Add collaborators to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
- Add individuals who should receive credit for contributing to the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories)."
|
||||
- Publish the security advisory to notify your community of the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)."
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/editing-a-security-advisory
|
||||
- /code-security/security-advisories/editing-a-security-advisory
|
||||
- /code-security/repository-security-advisories/editing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -36,7 +37,7 @@ You can also use the REST API to edit repository security advisories. For more i
|
||||
{% data reusables.repositories.security-advisory-edit-cwe %}
|
||||
1. Optionally, under "Credits", remove existing credits, or use the search box to find additional people you want to credit on the security advisory, then click their username to add them.
|
||||
{% ifversion security-advisories-credit-types %}
|
||||
- Use the dropdown menu next to the name of the person you're crediting to assign a credit type. For more information about credit types, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."
|
||||
- Use the dropdown menu next to the name of the person you're crediting to assign a credit type. For more information about credit types, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#about-credits-for-repository-security-advisories)."
|
||||
|
||||
|
||||
|
||||
@@ -47,4 +48,4 @@ You can also use the REST API to edit repository security advisories. For more i
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -10,6 +10,8 @@ topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
shortTitle: Evaluate repository security
|
||||
redirect_from:
|
||||
- /code-security/security-advisories/repository-security-advisories/evaluating-the-security-settings-of-a-repository
|
||||
---
|
||||
|
||||
## About evaluating a repository's security settings
|
||||
@@ -6,6 +6,7 @@ redirect_from:
|
||||
- /articles/managing-security-vulnerabilities-in-your-project
|
||||
- /github/managing-security-vulnerabilities/managing-security-vulnerabilities-in-your-project
|
||||
- /code-security/repository-security-advisories
|
||||
- /code-security/security-advisories/repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -28,4 +29,3 @@ children:
|
||||
- /removing-a-collaborator-from-a-repository-security-advisory
|
||||
- /withdrawing-a-repository-security-advisory
|
||||
---
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
---
|
||||
title: Permission levels for repository security advisories
|
||||
intro: The actions you can take in a repository security advisory depend on whether you have admin or write permissions to the security advisory.
|
||||
redirect_from:
|
||||
- /articles/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-maintainer-security-advisories
|
||||
- /github/managing-security-vulnerabilities/permission-levels-for-security-advisories
|
||||
- /code-security/security-advisories/permission-levels-for-security-advisories
|
||||
- /code-security/repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
- /code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
type: reference
|
||||
topics:
|
||||
- Security advisories
|
||||
- Vulnerabilities
|
||||
- Permissions
|
||||
shortTitle: Permission levels
|
||||
---
|
||||
This article applies only to repository-level security advisories. Anyone can contribute to global security advisories in the {% data variables.product.prodname_advisory_database %} at [github.com/advisories](https://github.com/advisories). Edits to global advisories will not change or affect how the advisory appears on the repository. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database)."
|
||||
|
||||
## Permissions overview
|
||||
|
||||
{% data reusables.repositories.security-advisory-admin-permissions %} For more information about adding a collaborator to a security advisory, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)."
|
||||
|
||||
Action | Write permissions | Admin permissions |
|
||||
------ | ----------------- | ----------------- |
|
||||
See a draft security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add collaborators to the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Edit and delete any comments in the security advisory | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add changes to a temporary private fork in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Create pull requests in a temporary private fork (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Merge changes in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and edit metadata in the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Add and remove credits for a security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)") | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Close the draft security advisory | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
Publish the security advisory (see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)") | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} |
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -7,6 +7,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/publishing-a-security-advisory
|
||||
- /code-security/security-advisories/publishing-a-security-advisory
|
||||
- /code-security/repository-security-advisories/publishing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -26,9 +27,9 @@ Anyone with admin permissions to a security advisory can publish the security ad
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory)."
|
||||
|
||||
If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
|
||||
## About publishing a security advisory
|
||||
|
||||
@@ -36,7 +37,7 @@ When you publish a security advisory, you notify your community about the securi
|
||||
|
||||
{% data reusables.repositories.security-advisories-republishing %}
|
||||
|
||||
Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)."
|
||||
|
||||
{% warning %}
|
||||
|
||||
@@ -54,7 +55,7 @@ When you publish a draft advisory from a public repository, everyone is able to
|
||||
|
||||
- The current version of the advisory data.
|
||||
- Any advisory credits that the credited users have accepted.
|
||||
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: The general public will never have access to the edit history of the advisory, and will only see the published version.
|
||||
@@ -63,7 +64,7 @@ When you publish a draft advisory from a public repository, everyone is able to
|
||||
|
||||
After you publish a security advisory, the URL for the security advisory will remain the same as before you published the security advisory. Anyone with read access to the repository can see the security advisory. Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory.
|
||||
|
||||
If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)."
|
||||
|
||||
## Publishing a security advisory
|
||||
|
||||
@@ -82,14 +83,14 @@ Publishing a security advisory deletes the temporary private fork for the securi
|
||||
**Note:** If you selected "Request CVE ID later", you will see a **Request CVE** button in place of the **Publish advisory** button. For more information, see "[Requesting a CVE identification number (Optional)](#requesting-a-cve-identification-number-optional)" below.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
||||
## {% data variables.product.prodname_dependabot_alerts %} for published security advisories
|
||||
|
||||
{% data reusables.repositories.github-reviews-security-advisories %}
|
||||
|
||||
## Requesting a CVE identification number (Optional)
|
||||
|
||||
{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)."
|
||||
{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers)."
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-security %}
|
||||
@@ -101,4 +102,4 @@ Publishing a security advisory deletes the temporary private fork for the securi
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/withdrawing-a-repository-security-advisory)"
|
||||
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/removing-a-collaborator-from-a-security-advisory
|
||||
- /code-security/security-advisories/removing-a-collaborator-from-a-security-advisory
|
||||
- /code-security/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -35,5 +36,5 @@ People with admin permissions to a security advisory can remove collaborators fr
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory)"
|
||||
@@ -5,6 +5,7 @@ redirect_from:
|
||||
- /github/managing-security-vulnerabilities/withdrawing-a-security-advisory
|
||||
- /code-security/security-advisories/withdrawing-a-security-advisory
|
||||
- /code-security/repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
- /code-security/security-advisories/repository-security-advisories/withdrawing-a-repository-security-advisory
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -21,4 +22,4 @@ If you publish a security advisory in error, you can withdraw the security advis
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory)"
|
||||
- "[AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory)"
|
||||
Reference in New Issue
Block a user