GitHub has launched a new way of disclosing security vulnerabilities privately and directly from within a repository in a bid to improve the state of software supply chain security.
The new private reporting tool is nestled within the security tab of a GitHub repository and is presented as a simple web form that can be used to alert the maintiners of an open source project of a security issue.
GitHub said that disclosing vulnerabilities in open source projects can often be difficult, and researchers have told them they have avoided disclosing a vulnerability altogether because the maintainer’s contact information was too difficult to find.
The company hopes the new tool will help developers avoid attracting attention to vulnerabilities by public methods of disclosure, such as over Twitter, where black hat hackers could be alerted to issues and develop exploits before the issue can be fixed.
“The challenge that we see is that a really high number of open source projects do not have any security policy or any defined disclosure practice,” said Justin Hutchings, director of product management at GitHub to IT Pro.
“So when a researcher finds a bug in one of those pieces of code, they're left tweeting at the maintainer to say "will you please contact me, DM me, I have something important to tell you and I don't want to tell you the wrong way".
“And, of course, sometimes, security researchers being busy people, if they can't find it, they try maybe one or two things [before] they just go and ask for the CVE, and then everyone ends up surprised because the right thing didn't happen.”
Private vulnerability reporting can be enabled by maintainers quickly through a repository’s settings. It also offers the researcher reporting the issue visibility into the status of remediation and the chance to test any proposed fix developed by the maintainer.
Reporters can also start a temporary fork if they want to start developing a fix for the security issue if they have the will and experience to do so. The reporter cannot make the fork permanent or public a public disclosure of their report.
The new feature works alongside GitHub’s other security tools that provide maintainers with capabilities to prevent security issues from impacting the health of their projects.
These include Dependabot which pushes alerts when known vulnerabilities are found in a project’s dependencies, secret scanning which scans code for components that could leak secret access keys, and code scanning which scans for security vulnerabilities in code.
Launched this week at GitHub Universe, the tool is now in public beta but is expected to be made generally available in early 2023.
The focus on security vulnerabilities in the software supply chain was brought to the fore in late 2021 with the discovery of the Log4Shell vulnerability impacting the Apache Log4j logging utility.
Due to its use in the majority of software used in businesses across the world, the news caused the cyber security community to panic over the degree to which possible exploits could impact the global IT industry.
GitHub’s new private vulnerability disclosure tool, along with the company’s other security features, aims to prevent vulnerabilities of this scale from ever needing emergency fixes.
Wider security improvements
Alongside the private vulnerability disclosure platform, GitHub also announced the launch of personal access tokens (PATs) to further protect against attackers elevating privileges inside open source projects.
Targeting developers who use access tokens to authenticate themselves and access GitHub resources when using the GitHub API or command line, the new tokens introduce the ability for organisations to apply the principle of least privilege to developer accounts.
It means if a developer account is compromised, a potential attacker could be limited to escalating privileges only to a specified level, minimising the damage they could inflict in an attack and the level of access to a project’s data.
PATs can also be scanned by the platform’s secret scanning tool so maintainers will automatically be alerted to when one may have been leaked through insecure code.
Two new pages have also been added to the GitHub security dashboard, available only to GitHub Enterprise users, to offer more detailed insights into the number of issues affecting different repositories.
The coverage page offers a clear view of which repositories have the likes of Dependabot enabled and how many repositories have not yet had secret scanning enabled, for example.
The risk page offers insight into all the alerts that each repository is receiving, and then giving businesses the chance to investigate each with filtering options.
