• About
  • Subscribe
  • Contact
Wednesday, May 7, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Business Applications & Databases

GitHub delivers private vulnerability reporting at scale

Gigi Onag by Gigi Onag
April 25, 2023
Image by RAEng_Publications from Pixabay

Image by RAEng_Publications from Pixabay

GitHub has made private vulnerability reporting generally available for free on public repositories, making it easier for researchers and maintainers to ensure the integrity of the open-source supply chain.

The world’s largest code sharing platform that enables software developers to collaborate has been testing the public beta of private vulnerability reporting since November 2022.

To date, maintainers from over 30,000  organisations enabled private vulnerability reporting on more than 180,000 repos and received 1k+ submissions from researchers. Through this enablement and feedback from the community, GitHub has also made a number of feature improvements including multi-repo enablement, new credit types, and increased integration and automation workflows.

Jonathan Leitschuh, OpenSFF

“One of the biggest struggles as a researcher has been making initial contact to disclose the vulnerability to the maintainer. Private vulnerability reporting is a massive step forward."

Jonathan Leitschuh, GitHub Star, GitHub Security Ambassador, and senior open source security researcher for the Open Source Security Foundation (OpenSSF) Project Alpha-Omega

GitHub is a founding member of the OpenSSF and actively participates in the working group for securing software repositories, with the goal of bringing similar capabilities to other platforms and package ecosystems.

Before its general availability, private vulnerability reporting could only be enabled on individual repositories. Now, maintainers can enable private vulnerability reporting on all repositories in their organisation. Maintainers can also now choose how to credit people who find and contribute to fixing vulnerabilities.

Furthermore, a new repository security advisories API supports several new integration and automation workflows.

Also, maintainers can pipe private vulnerability reports from GitHub to third-party vulnerability management systems Security researchers can also use the API to programmatically open a private vulnerability report on multiple repositories, a time-saving convenience when packages share a common vulnerability.

Anyone can keep a close eye on critical repositories by scheduling automatic pings for notifications of new vulnerability reports.

npm package provenance

Additionally, GitHub announced npm package provenance, meaning developers building npm projects on GitHub Actions can now publish provenance alongside their packages, giving consumers a verifiable way to link a package back to its source repository and build instructions.

As home to the largest package registry in the world, GitHub is continually looking at security improvements to ensure the npm ecosystem remains healthy. Part of that responsibility is to help build trust in the open-source projects and GitHub wants to give developers the tools they need to ensure the integrity of their software supply chain. With the npm provenance package, GitHub’s goal for the npm ecosystem is to bring the same level of transparency it has with the open-source code itself to the process by which that code is built and published.

With the move to make npm package provenance generally available, GitHub is working on a number of additional improvements:

●      Adopting version 1.0 of the SLSA provenance specification.

●      Working with other cloud CI/CD providers to add support for provenance signing.

●      Verifying the expected source repository and commit exist.

●      New tools to manage access between your CI/CD environment and the npm registry.

Related:  HPE reveals new AI cloud service for LLMs
Tags: cybersecurityGitHubnpm provenanceopen sourceOpen source softwareOpenSSFprivate vulnerability reportingsoftware development
Gigi Onag

Gigi Onag

Gigi has more than 15 years of experience in technology journalism, covering various aspects of enterprise IT and telecommunications from both business and technology perspective. Before joining CXOCIETY as editor for FutureIoT in July 2019, she was assistant editor of ComputerWorld Hong Kong. Based in Hong Kong, she started with regional IT publications under CMP Asia (now Informa), including Asia Computer Weekly, Intelligent Enterprise Asia and Network Computing Asia and Teledotcom Asia. She had contributed articles to South China Morning Post, TechTarget and PC Market among others.

No Result
View All Result

Recent Posts

  • Agentic AI-powered AppSec platform launched for the AI era
  • IDC forecasts GenAI alone will grow at a 59.2% CAGR
  • Dataiku brings new AI capabilities to create and control AI agents
  • Microsoft reveals the rise of a new kind of organisation in the AI era
  • St Luke’s ElderCare enhances data security and user experience with Juniper

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe