注意
如果你是安全研究人员,应直接联系维护人员,要求他们创建安全通告,或在你不管理的存储库中代表你发布 CVE。 但如果为存储库启用了私人漏洞报告,则可以自行“私下”__ 报告漏洞。 有关详细信息,请参阅“Privately reporting a security vulnerability”。
Creating a security advisory
You can also use the REST API to create repository security advisories. For more information, see 适用于存储库安全公告的 REST API 终结点.
-
在 GitHub 上,导航到存储库的主页面。
-
在仓库名称下,单击 “Security”****。 如果看不到“Security”选项卡,请选择 下拉菜单,然后单击“Security”********。
-
在左边栏中的“Reporting”下,单击 “Advisories”****。
-
Click New draft security advisory to open the draft advisory form. The fields marked with an asterisk are required.
-
In the Title field, type a title for your security advisory.
-
使用“CVE 标识符”下拉菜单指定是否已有 CVE 标识符,或计划在以后向 GitHub 请求一个 CVE 标识符。 如果你有现有的 CVE 标识符,请选择“我有现有的 CVE 标识符”以显示“现有 CVE”字段,并在字段中键入 CVE 标识符。 有关详细信息,请参阅“关于存储库安全公告”。
-
在“说明”字段中,键入安全漏洞的说明,包括其影响、任何可用的修补程序或解决方法以及任何参考。
-
在“受影响产品”下,定义此安全公告描述的安全漏洞的生态系统、包名称、受影响/修补版本和易受攻击的功能。 如果适用,可以通过单击“添加另一个受影响产品”,将多个受影响的产品添加到同一公告中。
有关如何在窗体上指定信息(包括受影响的版本)的信息,请参阅“Best practices for writing repository security advisories”。
-
使用“严重性”下拉菜单定义安全漏洞的严重性。 如果要计算 CVSS 分数,请选择“使用 CVSS 评估严重性”,然后在“计算器”中选择适当的值。 GitHub 根据通用漏洞评分系统计算器计算分数。
-
在“漏洞”下的“常见漏洞枚举器”字段中,键入描述此安全公告报告的安全漏洞类型的常见漏洞枚举器 (CWE)。 有关 CWE 的完整列表,请参阅 MITRE 中的“常见弱点枚举”。
-
Optionally, under "Credits", add credits by searching for a GitHub username, the email address associated with their GitHub account, or their full name.
-
Use the dropdown menu next to the name of the person you're crediting to assign a credit type. For more information about credit types, see the About credits for repository security advisories section.
-
Optionally, to remove someone, click next to the credit type.
-
-
Click Create draft security advisory.
“Credits(积分)”部分列出的人员将会收到邀请他们接受积分的电子邮件或 web 通知。 如果某人接受,则其用户名将在安全通告发布后公开可见。
About credits for repository security advisories
You can credit people who helped discover, report, or fix a security vulnerability. If you credit someone, they can choose to accept or decline credit.
You can assign different types of credit to people.
| Credit type | Reason |
|---|---|
| Finder | Identifies the vulnerability |
| Reporter | Notifies the vendor of the vulnerability to a CNA |
| Analyst | Validates the vulnerability to ensure accuracy or severity |
| Coordinator | Facilitates the coordinated response process |
| Remediation developer | Prepares a code change or other remediation plans |
| Remediation reviewer | Reviews vulnerability remediation plans or code changes for effectiveness and completeness |
| Remediation verifier | Tests and verifies the vulnerability or its remediation |
| Tool | Names of tools used in vulnerability discovery or identification |
| Sponsor | Supports the vulnerability identification or remediation activities |
If someone accepts credit, the person's username appears in the "Credits" section of the security advisory. Anyone with read access to the repository can see the advisory and the people who accepted credit for it.
注意
If you believe you should be credited for a security advisory, please contact the creator of the advisory and to ask for the advisory to be edited to include your credit. Only the creator of the advisory can credit you, so please don't contact GitHub Support about credits for security advisories.
Next steps
- Comment on the draft security advisory to discuss the vulnerability with your team.
- Add collaborators to the security advisory. For more information, see Adding a collaborator to a repository security advisory.
- Privately collaborate to fix the vulnerability in a temporary private fork. For more information, see Collaborating in a temporary private fork to resolve a repository security vulnerability.
- Add individuals who should receive credit for contributing to the security advisory. For more information, see Editing a repository security advisory.
- Publish the security advisory to notify your community of the security vulnerability. For more information, see Publishing a repository security advisory.