GitHub is allowing developers to notify their peers of discovered vulnerabilities – quietly. The company says this will avoid the “name and shame” game and prevent exploitations that might result from public disclosure.
In a blog post earlier this week, GitHub said given the way that platform is currently set up, sometimes there’s no other option but to disclose a vulnerability publicly – and before malware removal software can be deployed – alerting potential threat actors.
“Security researchers often feel responsible for alerting users to a vulnerability that could be exploited,” the blog reads. “If there are no clear instructions about contacting maintainers of the repository containing the vulnerability. It can potentially lead to a public disclosure of the vulnerability details.”
Private vulnerability reporting
To tackle the issue, GitHub has now introduced private vulnerability reporting – essentially a simple reporting form.
When a developer tries to reach out to the maintainer of the affected vulnerability via Private vulnerability reporting, the latter can choose to either accept it, ask more questions, or reject it.
> Here are the best firewalls on the market
> You’ll soon be able to code on GitHub with just your voice
> Microsoft is being sued over Github Copilot piracy
“If you accept the report, you’re ready to collaborate on a fix for the vulnerability in private with the security researcher,” the post explains.
The Microsoft-owned platform also hopes this disclosure method will streamline troubleshooting efforts, since reports are dealt with in a single place. Furthermore, it gives maintainers the opportunity to discuss vulnerability details in private with security researchers and ultimately use patch management software to collaborate on a fix.
The repository’s community has welcomed the news, The Register reported. It spoke to multiple CTOs, technical engineers and threat hunters, all of which agree that such a feature was in high demand on GitHub.
- Check out our list of the best endpoint protection services around
stereoguide-referencehometheater-techradar