8f964ea2cb
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> Co-authored-by: Grace Park <gracepark@github.com> Co-authored-by: Steve Guntrip <12534592+stevecat@users.noreply.github.com> Co-authored-by: Robert Sese <sese@github.com> Co-authored-by: Peter Bengtsson <peterbe@github.com> Co-authored-by: Rachael Sewell <rachmari@github.com>
4.1 KiB
title, intro, redirect_from, versions, type, topics, shortTitle
| title | intro | redirect_from | versions | type | topics | shortTitle | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| About GitHub Security Advisories | You can use {% data variables.product.prodname_security_advisories %} to privately discuss, fix, and publish information about security vulnerabilities in your repository. |
|
|
overview |
|
Security advisories |
{% data reusables.repositories.security-advisory-admin-permissions %}
{% data reusables.security-advisory.security-researcher-cannot-create-advisory %}
About {% data variables.product.prodname_security_advisories %}
{% data reusables.security-advisory.disclosing-vulnerabilities %} For more information, see "About coordinated disclosure of security vulnerabilities."
{% data reusables.security-advisory.security-advisory-overview %}
With {% data variables.product.prodname_security_advisories %}, you can:
- Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see "Creating a security advisory."
- Privately collaborate to fix the vulnerability in a temporary private fork.
- Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "Publishing a security advisory."
{% data reusables.repositories.security-advisories-republishing %}
You can give credit to individuals who contributed to a security advisory. For more information, see "Editing a security advisory."
{% data reusables.repositories.security-guidelines %}
If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on github.com/advisories. If a security advisory is specifically for npm, we also publish the advisory to the npm security advisories. For more information, see npmjs.com/advisories.
{% data reusables.repositories.github-security-lab %}
CVE identification numbers
{% data variables.product.prodname_security_advisories %} builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list. The security advisory form on {% data variables.product.prodname_dotcom %} is a standardized form that matches the CVE description format.
{% data variables.product.prodname_dotcom %} is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see "About CVE" and "CVE Numbering Authorities" on the CVE website.
When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %}
Once you've published the security advisory and {% data variables.product.prodname_dotcom %} has assigned a CVE identification number to the vulnerability, {% data variables.product.prodname_dotcom %} publishes the CVE to the MITRE database. For more information, see "Publishing a security advisory."
{% data variables.product.prodname_dependabot_alerts %} for published security advisories
{% data reusables.repositories.github-reviews-security-advisories %}