IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub goes open source on security research

Community members, enthusiasts, researchers, and academics are now able to submit their own research to widen the understanding of security vulnerabilities

GitHub has opened up its security Advisory Database to community contributions with the aim of furthering the security of the software supply chain.

Independent security researchers, academics, and enthusiasts are now able to submit their own research into security vulnerabilities into the open source development platform to provide further insight into existing vulnerabilities.

The process will work much like the platform’s pull requests feature that’s already used by developers to suggest changes to projects. Those with deeper insight into an existing security vulnerability will be able to submit their findings via a pull request and it will then be verified before being published.

Security researchers from the GitHub Security Lab, as well as the maintainer of the project who filed the vulnerability, are tasked with verifying each submission. If approved, the community contribution will be merged into the public advisory and credit will be displayed on the user’s profile.

To submit research to deepen the understanding of a given vulnerability, community researchers can navigate to a vulnerability’s advisory on the Advisory Database and click ‘suggest improvements for this vulnerability’ in the right-side pane on the page. 

In addition to accepting community submissions, GitHub will also be publishing the contents of the Advisory Database to a new public repository to make it easier for the community to benefit from the professionally verified data

Just like with the current data in the Advisory Database, the contents of the new public repository will be licensed under the Creative Commons license, meaning that the data will always be free and usable by the community.

What is the GitHub Advisory Database?

The GitHub Advisory Database pulls in security vulnerabilities from a number of verified sources, allowing users to search for issues that affect open source projects hosted on the platform.

Security vulnerabilities are sourced from the National Vulnerability Database, the npm security advisories database, detected issues in public commits on GitHub projects, and security advisories directly reported on GitHub. 

GitHub is a CVE Naming Authority (CNA) and can assign Common Vulnerability Exposure (CVE) identification numbers for the verified security flaws that are submitted through its platform.

Related Resource

Modernise your server infrastructure for speed and security

Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation

Whitepaper cover with title and block dark green rectangle with grey and white arrow graphicsFree Download

The vulnerabilities listed in the Advisory Database are split into two categories: GitHub-reviewed advisories and unreviewed advisories. The verified entries in the database also inform GitHub’s Dependabot feature, which automatically alerts and updates projects when it discovers a security vulnerability.

“The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world,” said GitHub. 

“It is maintained by a dedicated team of full-time curators and powers the security audit experience for npm and NuGet, as well as GitHub’s own Dependabot alerts. By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software.”

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

GitHub Enterprise Server 3.5 is equipped with a horde of new security protections
software development

GitHub Enterprise Server 3.5 is equipped with a horde of new security protections

1 Jun 2022
GitHub's latest security updates aim to protect projects in their earliest stages
Development

GitHub's latest security updates aim to protect projects in their earliest stages

7 Apr 2022
GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta
Development

GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta

25 Feb 2022
GitHub launches code scanning tool for JavaScript and TypeScript projects
Development

GitHub launches code scanning tool for JavaScript and TypeScript projects

18 Feb 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022