Skip to main content
GitHub Docs
Search
Select language: current language is English
Open Search BarClose Search Bar
Open Menu
Open Sidebar
  • Secure coding/
  • GitHub security features
  • Audit security alerts
  • Enable security features in trial
  • Choose security configuration
    • Configure global settings
    • Edit custom configuration
    • Delete custom configuration
    • Push protection
    • Enable push protection
    • Resolve alerts
    • Push protection from the REST API
    • Generate regular expressions with AI
    • About CodeQL code scanning
    • Configure advanced setup
    • Hardware resources for CodeQL
    • Disable Copilot Autofix
    • Track alerts in issues
    • CodeQL query suites
    • C# CodeQL queries
    • Python CodeQL queries
    • Using code scanning with your existing CI system
    • Alerts in generated code
    • Cannot enable CodeQL in a private repository
    • Logs not detailed enough
    • Resource not accessible
    • Two CodeQL workflows
    • GitHub Advanced Security disabled
    • Results file too large
    • Preparing code for analysis
    • Advanced setup of the CodeQL CLI
    • Testing custom queries
    • Specifying command options in a CodeQL configuration file
    • Extractor options
    • bqrs diff
    • database add-diagnostic
    • database create
    • database index-files
    • database run-queries
    • dataset check
    • dataset upgrade
    • execute language-server
    • execute upgrades
    • github merge-results
    • pack ci
    • pack install
    • pack resolve-dependencies
    • query format
    • resolve extensions-by-pack
    • resolve library-path
    • resolve qlpacks
    • resolve tests
    • test run
    • Manage CodeQL databases
    • CodeQL model editor
    • Test CodeQL queries
    • Telemetry
    • About global security advisories
    • Permission levels
    • Edit repository advisories
    • Add collaborators
    • Best practices
    • Dependency graph
    • Export dependencies as SBOM
    • Customize dependency review action
    • Overview
    • Dependabot ecosystem support
    • Configure notifications
    • Manage auto-dismissed alerts
    • Dependabot version updates
    • Control dependency update
    • Auto-update actions
    • Manage Dependabot on self-hosted runners
    • Troubleshoot Dependabot on Actions
    • Repository security advisories/
    • Configure for a repository

    Configuring private vulnerability reporting for a repository

    Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.

    Who can use this feature?

    Anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository.

    In this article

    • About privately reporting a security vulnerability
    • Enabling or disabling private vulnerability reporting for a repository
    • Configuring notifications for private vulnerability reporting

    About privately reporting a security vulnerability

    Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.

    Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.

    When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.

    For maintainers, the benefits of using private vulnerability reporting are:

    • Less risk of being contacted publicly, or via undesired means.
    • Receive reports in the same platform you resolve them in for simplicity
    • The security researcher creates or at least initiates the advisory report on the behalf of maintainers.
    • Maintainers receive reports in the same platform as the one used to discuss and resolve the advisories.
    • Vulnerability less likely to be in the public eye.
    • The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch.

    The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see Configuring private vulnerability reporting for an organization.

    Enabling or disabling private vulnerability reporting for a repository

    1. On GitHub, navigate to the main page of the repository.

    2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    3. In the "Security" section of the sidebar, click Code security.

    4. Under "Code security", to the right of "Private vulnerability reporting", click Enable or Disable, to enable or disable the feature, respectively.

    When private vulnerability reporting is enabled for a repository, security researchers will see a new button in the Advisories page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer.

    Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see Privately report a security vulnerability.

    Configuring notifications for private vulnerability reporting

    When a new vulnerability is privately reported on a repository where private vulnerability reporting is enabled, GitHub notifies repository maintainers and security managers if:

    • They're watching the repository for all activity.
    • They have notifications enabled for the repository.

    Notifications depend on the user's notification preferences. You will receive an email notification if:

    • You are watching the repository.
    • You have enabled notifications for "All Activity".
    • In your notification settings, under "Subscriptions", then under "Watching", you have selected to receive notifications by email.

    1. On GitHub, navigate to the main page of the repository.

    2. To start watching the repository, select Watch.

    3. In the dropdown menu, click All Activity.

    4. Navigate to the notification settings for your personal account. These are available at https://github.com/settings/notifications.

    5. On your notification settings page, under "Subscriptions," then under "Watching," select the Notify me dropdown.

    6. Select "Email" as a notification option, then click Save.

    For more information about setting up notification preferences, see Managing security and analysis settings for your repository and Configuring your watch settings for an individual repository.

    Help and support

    Did you find what you needed?

    Privacy
  • Status
  • Blog

    • Follow Lee on X/Twitter - Father, Husband, Serial builder creating AI, crypto, games & web tools. We are friends :) AI Will Come To Life!

    Check out: eBank.nz (Art Generator) | Netwrck.com (AI Tools) | Text-Generator.io (AI API) | BitBank.nz (Crypto AI) | ReadingTime (Kids Reading) | RewordGame | BigMultiplayerChess | WebFiddle | How.nz | Helix AI Assistant