IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub launches private vulnerability reporting to secure the software supply chain

The new platform aims to simplify vulnerability disclosure and minimise instances where researchers avoid reporting out of personal convenience

Welcome sign at GitHub Universe 2022

GitHub has launched a new way of disclosing security vulnerabilities privately and directly from within a repository in a bid to improve the state of software supply chain security.

The new private reporting tool is nestled within the security tab of a GitHub repository and is presented as a simple web form that can be used to alert the maintiners of an open source project of a security issue.

GitHub said that disclosing vulnerabilities in open source projects can often be difficult, and researchers have told them they have avoided disclosing a vulnerability altogether because the maintainer’s contact information was too difficult to find.

The company hopes the new tool will help developers avoid attracting attention to vulnerabilities by public methods of disclosure, such as over Twitter, where black hat hackers could be alerted to issues and develop exploits before the issue can be fixed.

“The challenge that we see is that a really high number of open source projects do not have any security policy or any defined disclosure practice,” said Justin Hutchings, director of product management at GitHub to IT Pro

“So when a researcher finds a bug in one of those pieces of code, they're left tweeting at the maintainer to say "will you please contact me, DM me, I have something important to tell you and I don't want to tell you the wrong way". 

“And, of course, sometimes, security researchers being busy people, if they can't find it, they try maybe one or two things [before] they just go and ask for the CVE, and then everyone ends up surprised because the right thing didn't happen.”

Private vulnerability reporting can be enabled by maintainers quickly through a repository’s settings. It also offers the researcher reporting the issue visibility into the status of remediation and the chance to test any proposed fix developed by the maintainer.

Reporters can also start a temporary fork if they want to start developing a fix for the security issue if they have the will and experience to do so. The reporter cannot make the fork permanent or public a public disclosure of their report.

The new feature works alongside GitHub’s other security tools that provide maintainers with capabilities to prevent security issues from impacting the health of their projects.

Related Resource

The big book of ZTNA security use cases

Know your ZTNA protection index

Whitepaper cover with bold blue header banner with title and image of man at a workstation with multiple screensFree Download

These include Dependabot which pushes alerts when known vulnerabilities are found in a project’s dependencies, secret scanning which scans code for components that could leak secret access keys, and code scanning which scans for security vulnerabilities in code.

Launched this week at GitHub Universe, the tool is now in public beta but is expected to be made generally available in early 2023.

The focus on security vulnerabilities in the software supply chain was brought to the fore in late 2021 with the discovery of the Log4Shell vulnerability impacting the Apache Log4j logging utility.

Due to its use in the majority of software used in businesses across the world, the news caused the cyber security community to panic over the degree to which possible exploits could impact the global IT industry.

GitHub’s new private vulnerability disclosure tool, along with the company’s other security features, aims to prevent vulnerabilities of this scale from ever needing emergency fixes.

Wider security improvements

Alongside the private vulnerability disclosure platform, GitHub also announced the launch of personal access tokens (PATs) to further protect against attackers elevating privileges inside open source projects.

Targeting developers who use access tokens to authenticate themselves and access GitHub resources when using the GitHub API or command line, the new tokens introduce the ability for organisations to apply the principle of least privilege to developer accounts.

It means if a developer account is compromised, a potential attacker could be limited to escalating privileges only to a specified level, minimising the damage they could inflict in an attack and the level of access to a project’s data.

PATs can also be scanned by the platform’s secret scanning tool so maintainers will automatically be alerted to when one may have been leaked through insecure code.

Two new pages have also been added to the GitHub security dashboard, available only to GitHub Enterprise users, to offer more detailed insights into the number of issues affecting different repositories.

The coverage page offers a clear view of which repositories have the likes of Dependabot enabled and how many repositories have not yet had secret scanning enabled, for example.

The risk page offers insight into all the alerts that each repository is receiving, and then giving businesses the chance to investigate each with filtering options.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Establishing an OSPO is 'the next big evolution of the tech workplace'
open source

Establishing an OSPO is 'the next big evolution of the tech workplace'

10 Nov 2022
GitHub Copilot for business ‘expected to boost enterprise adoption’
Software

GitHub Copilot for business ‘expected to boost enterprise adoption’

10 Nov 2022
Microsoft’s GitHub Copilot sued over “software piracy on an unprecedented scale”
Software

Microsoft’s GitHub Copilot sued over “software piracy on an unprecedented scale”

4 Nov 2022
Organisations are scaling back their open source software due to security fears – Anaconda
open source

Organisations are scaling back their open source software due to security fears – Anaconda

15 Sep 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022