caaee7a124
* Add back changes from prior to purge * Manually fix some invalid Liquid * Updoot render-content * Improve test messages to show correct output * Run el scripto * Pass the remaining test
4.8 KiB
title, intro, redirect_from, versions
| title | intro | redirect_from | versions | ||||
|---|---|---|---|---|---|---|---|
| Publishing a security advisory | You can publish a security advisory to alert your community about a security vulnerability in your project. |
|
|
Anyone with admin permissions to a security advisory can publish the security advisory.
Prerequisites
Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see "Creating a security advisory."
If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see "Editing a security advisory."
About publishing a security advisory
When you publish a security advisory, you notify your community about the security vulnerability that the security advisory addresses. Publishing a security advisory makes it easier for your community to update package dependencies and research the impact of the security vulnerability.
{% data reusables.repositories.security-advisories-republishing %}
Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see "Collaborating in a temporary private fork to resolve a security vulnerability."
When you publish a draft advisory from a public repository, everyone is able to see:
- The current version of the advisory data.
- Any advisory credits that the credited users have accepted.
{% note %}
Note: The general public will never have access to the edit history of the advisory, and will only see the published version.
{% endnote %}
After you publish a security advisory, the URL for the security advisory will remain the same as before you published the security advisory. Anyone with read access to the repository can see the security advisory. Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory.
If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see "Editing a security advisory."
Requesting a CVE identification number
Anyone with admin permissions to a security advisory can request a CVE identification number for the security advisory.
{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see "About {% data variables.product.prodname_security_advisories %}."
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to request a CVE identification number for.
5. Use the Publish advisory drop-down menu, and click Request CVE.
6. Click Request CVE.
Publishing a security advisory
Publishing a security advisory deletes the temporary private fork for the security advisory.
{% data reusables.repositories.navigate-to-repo %}
{% data reusables.repositories.sidebar-security %}
{% data reusables.repositories.sidebar-advisories %}
4. In the "Security Advisories" list, click the security advisory you'd like to publish.
5. At the bottom of the page, click Publish advisory.
{% data variables.product.prodname_dependabot_alerts %} for published security advisories
{% data reusables.repositories.github-reviews-security-advisories %}