Skip to content

Latest commit

 

History

History
40 lines (33 loc) · 3.4 KB

File metadata and controls

40 lines (33 loc) · 3.4 KB
title Managing privately reported security vulnerabilities
intro Repository maintainers can manage security vulnerabilities that have been privately reported to them by security researchers for repositories where private vulnerability reporting is enabled.
permissions {% data reusables.permissions.security-repo-enable %}
versions
fpt ghec
*
*
contentType how-tos
shortTitle Manage vulnerability reports
redirect_from
/code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities
/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities
/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/managing-privately-reported-security-vulnerabilities
category
Report and disclose vulnerabilities

When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.

{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}

For more information about configuring notification preferences, see AUTOTITLE.

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-advisories %}

  1. Click the advisory you want to review. An advisory that was reported privately has a status of Triage.

    Screenshot of a "Security Advisories" list.

  2. Carefully review the report, then choose how to proceed.

    • To collaborate on a patch in private, click Start a temporary private fork to create a place for further discussions with the contributor. This does not change the status of the proposed advisory from Triage.

    • To accept the reported vulnerability, click Accept and open as draft to accept the vulnerability report as a draft advisory on {% data variables.product.prodname_dotcom %}. If you choose this option:

      • This doesn't make the report public.
      • The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create. For more information on security advisories, see AUTOTITLE.
    • To ask for more information, or to open a discussion with the reporter, you can comment on the advisory. Any comments are visible only to the reporter and to any collaborators on the advisory.

    • If you have enough information to determine that the problem the reporter describes is not a security risk, click Close security advisory. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory.

      Screenshot showing the options available to the repository maintainer when reviewing an externally submitted vulnerability report.