GitHub launches channel to simplify vulnerability disclosure process for open source software

GitHub, the world’s largest community for open source software development, has established a communication channel on the platform to make it easier for security researchers to report vulnerabilities to project maintainers.

Reporting vulnerabilities has always been complicated. While researchers often feel responsible for notifying users of bugs that could be exploited, there are no clear instructions on how to contact project maintainers. In addition, many open source projects are managed and supported by small cadres of volunteers who update or fix problematic code in their spare time.

Announced Wednesday at GitHub Universe 2022, a global cloud, security, community and AI developer event, the feature allows researchers to report bugs directly and privately to maintainers.

“Private Vulnerability Reporting is a collaborative solution for security researchers and open source maintainers to report and fix vulnerabilities in open source repositories. It provides a convenient, standardized, and secret way to report, assess, and remediate vulnerabilities,” GitHub CEO Thomas Dohmke said in a post.

Justin Hutchings, Director of Product Management at GitHub, told SC Media that historically, security researchers have always reported the vulnerabilities on social media or even created public issues, which could potentially lead to publicity as it was difficult to provide correct contact information see Vulnerability Details Disclosure.

“If the disclosures are made public, maintainers don’t have time to fix the issues before bad actors have a chance to learn about them,” Hutchings said.

With the new feature, maintainers on the platform will be notified when a researcher reports an issue and they can either accept it, ask more questions, or deny it. This allows maintainers to have more control over how vulnerability details are communicated by researchers, while reducing instances of maintainers being contacted publicly or in unwanted ways. GitHub also believes this will reduce the likelihood of vulnerabilities being made public before they are fixed.

According to Hutchings, reporting vulnerabilities privately is free, and anyone can sign up for the public beta now. The team plans to make it generally available in early 2023.

Tim Mackey, chief security strategist at Synopsys, said the new feature is promising.

“While larger organizations likely have opportunities for researchers to responsibly report vulnerabilities, open source projects, and especially smaller open source projects, lack the resources to properly manage the workflows for receiving, responding to, and processing a security report — and do in a confidential manner,” he told SC Media in an email.

“It’s great to see GitHub taking this important step. Enabling open source contributors to easily and securely support their projects helps us all make strides toward greater security,” added Tzachi Zornstain, Head of Supply Chain Security at Checkmarx.

While having a communication channel increases the likelihood of positive outcomes in the disclosure process, Jamie Scott, founding product manager at Endor Labs, cautioned that it also comes with greater ethical responsibility in the open source community.

By collecting vulnerabilities on the platform, Scott said that GitHub now becomes “an arbiter” and “holder of a vast body of security information.” “This comes with an ethical responsibility that GitHub must take seriously to protect the information,” he told SC Media in an email.

Additionally, Scott said the community should also standardize timeframes for when the vulnerabilities should be disclosed to the public if no action is taken.

Comments are closed.