Managing privately reported security vulnerabilities

Repository maintainers can manage security vulnerabilities that have been privately reported to them by security researchers for repositories where private vulnerability reporting is enabled.

¿Quién puede utilizar esta característica?

Propietarios de repositorios, propietarios de organizaciones, administradores de seguridad y usuarios con el rol de administrador

En este artículo

Los propietarios y administradores de repositorios públicos pueden habilitar informes de vulnerabilidades privados en sus repositorios. Para más información, consulta Configuring private vulnerability reporting for a repository.

About privately reporting a security vulnerability

Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.

When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.

Managing security vulnerabilities that are privately reported

Cuando se notifica de forma privada una nueva vulnerabilidad en un repositorio donde está habilitada la notificación privada de vulnerabilidades, GitHub informa a los mantenedores de repositorios y administradores de seguridad si:

  • Están inspeccionando toda la actividad del repositorio.
  • Tienen notificaciones habilitadas para el repositorio.

For more information about configuring notification preferences, see Configuring private vulnerability reporting for a repository.

  1. En GitHub, navegue hasta la página principal del repositorio.

  2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

    Captura de pantalla de un encabezado de repositorio en el que se muestran las pestañas. La pestaña "Seguridad" está resaltada con un contorno naranja oscuro.

  3. En la barra lateral de la izquierda, en "Reporting", haz clic en Advisories.

  4. Click the advisory you want to review. An advisory that was reported privately has a status of Triage.

    Screenshot of a "Security Advisories" list.

  5. Carefully review the report, then choose how to proceed.

    • To collaborate on a patch in private, click Start a temporary private fork to create a place for further discussions with the contributor. This does not change the status of the proposed advisory from Triage.

    • To accept the reported vulnerability, click Accept and open as draft to accept the vulnerability report as a draft advisory on GitHub. If you choose this option:

      • This doesn't make the report public.
      • The report becomes a draft repository security advisory and you can work on it in the same way as any draft advisory that you create. For more information on security advisories, see Acerca de las asesorías de seguridad de repositorio.

    • To ask for more information, or to open a discussion with the reporter, you can comment on the advisory. Any comments are visible only to the reporter and to any collaborators on the advisory.

    • If you have enough information to determine that the problem the reporter describes is not a security risk, click Close security advisory. Where possible, you should add a comment explaining why you don't consider the report a security risk before you close the advisory.

      Screenshot showing the options available to the repository maintainer when reviewing an externally submitted vulnerability report.