Skip to main content
GitHub Docs
Search
Select language: current language is English
Open Search BarClose Search Bar
Open Menu
Open Sidebar
  • Code security/
  • GitHub security features
  • Audit security alerts
  • Trial secret scanning
  • Apply recommended configuration
  • Give access to private registries
    • Manage GHAS licenses
    • Active advanced setup
    • Secret scanning for partners
    • About alerts
    • Monitor alerts
    • Push protection in the GitHub UI
    • Troubleshoot secret scanning
    • Configure code scanning
    • Customize advanced setup
    • Code scanning in a container
    • Assess alerts
    • Code scanning tool status
    • Configure larger runners
    • Go CodeQL queries
    • Ruby CodeQL queries
    • Upload a SARIF file
    • Analysis takes too long
    • Enabling default setup takes too long
    • No source code seen during build
    • Results different than expected
    • Unclear what triggered a workflow
    • Default setup is enabled
    • Results exceed limits
      • Analyzing code
      • About CodeQL workspaces
      • Testing query help files
      • Query reference files
      • Exit codes
      • bqrs hash
      • database analyze
      • database export-diagnostics
      • database init
      • database trace-command
      • dataset cleanup
      • diagnostic add
      • execute queries
      • generate extensible-predicate-metadata
      • github upload-results
      • pack create
      • pack ls
      • pack upgrade
      • query run
      • resolve extractor
      • resolve metadata
      • resolve qlref
      • resolve upgrades
      • version
      • Run CodeQL queries
      • Custom query creation
      • Customize settings
      • Access logs
      • Browse Advisory Database
      • Configure for a repository
      • Evaluate repository security
      • Remove collaborators
      • Privately reporting
      • Dependency graph ecosystem support
      • Dependency submission API
      • Enforce dependency review
      • Securing accounts
      • Optimize Java packages
      • About auto-triage rules
      • Dependabot security updates
      • Configure version updates
      • Manage Dependabot PRs
      • Configure access to private registries
      • Remove access to public registries
      • Troubleshoot vulnerability detection
    • Privately reporting

    Privately reporting a security vulnerability

    Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.

    In this article

    • About privately reporting a security vulnerability
    • Privately reporting a security vulnerability

    Owners and administrators of public repositories can enable private vulnerability reporting on their repositories. For more information, see Configuring private vulnerability reporting for a repository.

    Note

    • If you have admin or security permissions for a public repository, you don't need to submit a vulnerability report. Instead, you can create a draft security advisory directly. For more information, see Creating a repository security advisory.
    • The ability to privately report a vulnerability in a repository is not related to the presence of a SECURITY.md file in that repository's root or docs directory.
      • The SECURITY.md file contains the security policy for the repository. Repository administrators can add and use this file to provide public instructions for how to report a security vulnerability in their repository. For more information, see Adding a security policy to your repository.
      • You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the SECURITY.md file. This reporting process is fully private, and GitHub notifies the repository administrators directly about your submission.

    About privately reporting a security vulnerability

    Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.

    Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to the repository maintainer using a simple form.

    For security researchers, the benefits of using private vulnerability reporting are:

    • Less frustration, and less time spent trying to figure out how to contact the maintainer.
    • A smoother process for disclosing and discussing vulnerability details.
    • The opportunity to discuss vulnerability details privately with the repository maintainer.

    Note

    If the repository doesn't have private vulnerability reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or create an issue asking the maintainers for a preferred security contact. For more information, see About coordinated disclosure of security vulnerabilities.

    Privately reporting a security vulnerability

    If a public repository has private vulnerability reporting enabled, anyone can privately report a security vulnerability to repository maintainers. Users can also evaluate the general security of a public repository and suggest a security policy. For more information, see Evaluating the security settings of a repository.

    1. On GitHub, navigate to the main page of the repository.

    2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.

    3. Click Report a vulnerability to open the advisory form.

    4. Fill in the advisory details form.

      Tip

      In this form, only the title and description are mandatory. (In the general draft security advisory form, which the repository maintainer initiates, specifying the ecosystem is also required.) However, we recommend security researchers provide as much information as possible on the form so that the maintainers can make an informed decision about the submitted report. You can adopt the template used by our security researchers from the GitHub Security Lab, which is available on the github/securitylab repository.

      For more information about the fields available and guidance on filling in the form, see Best practices for writing repository security advisories.

    5. At the bottom of the form, click Submit report. GitHub will display a message letting you know that maintainers have been notified and that you have a pending credit for this security advisory.

      Tip

      When the report is submitted, GitHub automatically adds the reporter of the vulnerability as a collaborator and as a credited user on the proposed advisory.

    6. Optionally, click Start a temporary private fork if you want to start to fix the issue. Note that only the repository maintainer can merge changes from that private fork into the parent repository.

    The next steps depend on the action taken by the repository maintainer. For more information, see

    Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

    Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant