GitHub recently announced the general availability of private vulnerability reporting for all repositories associated with an organization. This new dedicated communication channel allows security researchers to privately report vulnerabilities to the administrators of an open source project in a secure environment, without the risk of details being leaked. Eric Tooley, Senior Product Marketing Manager, and Kate Catlin, Senior Product Manager, outlined the benefits of the feature in a blog post.
The feature enables researchers and administrators to report and fix vulnerabilities on public repositories more easily. It also allows organizations to enable private vulnerability reporting across all their repositories, and choose how to credit those who find and help fix vulnerabilities. Additionally, the new repository security advisories API supports integration and automation workflows, such as automated submissions and vulnerability alerts. Lastly, private vulnerability reporting is free for public repositories.
Amazon CodeWhisperer is a free alternative to GitHub Copilot for anyone looking to monitor critical repositories.
