公共存储库的所有者和管理员可以对其存储库启用专用漏洞报告。 有关详细信息,请参阅“Configuring private vulnerability reporting for a repository”。
注意
- If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see Creating a repository security advisory.
- The ability to privately report a vulnerability in a repository is not related to the presence of a
SECURITY.mdfile in that repository's root ordocsdirectory.- The
SECURITY.mdfile contains the security policy for the repository. Repository administrators can add and use this file to provide public instructions for how to report a security vulnerability in their repository. For more information, see Adding a security policy to your repository. - You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the
SECURITY.mdfile. This reporting process is fully private, and GitHub notifies the repository administrators directly about your submission.
- The
About privately reporting a security vulnerability
Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.
Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to the repository maintainer using a simple form.
For security researchers, the benefits of using private vulnerability reporting are:
- Less frustration, and less time spent trying to figure out how to contact the maintainer.
- A smoother process for disclosing and discussing vulnerability details.
- The opportunity to discuss vulnerability details privately with the repository maintainer.
注意
如果存储库未启用私下漏洞报告,则需要按照存储库的安全策略中的说明启动报告过程,或者创建问题,让维护人员提供首选的安全联系人。 有关详细信息,请参阅“关于安全漏洞的协调披露”。
Privately reporting a security vulnerability
If a public repository has private vulnerability reporting enabled, anyone can privately report a security vulnerability to repository maintainers. Users can also evaluate the general security of a public repository and suggest a security policy. For more information, see Evaluating the security settings of a repository.
-
在 GitHub 上,导航到存储库的主页面。
-
在仓库名称下,单击 “Security”****。 如果看不到“Security”选项卡,请选择 下拉菜单,然后单击“Security”********。
-
单击“报告漏洞”可打开咨询表单。
-
填写咨询详细信息表单。
提示
在此表单中,只有标题和说明是必填的。 (在存储库维护人员启动的一般安全咨询表单草稿中,还需要指定生态系统。)但是,建议安全研究人员在表单上提供尽可能多的信息,以便维护人员可以就提交的报告做出明智的决定。 可以从 GitHub Security Lab 中采用我们的安全研究人员使用的模板,该模板可在
github/securitylab仓库中获取。有关可用字段的详细信息和填写表单的指导,请参阅 Creating a repository security advisory 和 Best practices for writing repository security advisories。
-
在表单底部,单击“提交报告”。 GitHub 将显示一条消息,告知你已通知维护人员,并且你拥有此安全公告的待处理额度。
提示
提交报告后,GitHub 会自动将漏洞报告者添加为协作者,并在建议的公告中作为信用用户添加。
-
(可选)如果要开始修复问题,单击“启动临时专用分支”。 请注意,只有存储库维护者才能将来自该专用分支的更改合并到父存储库中。
The next steps depend on the action taken by the repository maintainer. For more information, see Managing privately reported security vulnerabilities.