GitHub sets up private vulnerability reports for public repos to avoid 'naming and shaming'
No need for ignominy when a flaw is found
GitHub is offering a scheme for security researchers to privately report vulnerabilities found in public repositories.
Being able to privately report code flaws is important to researchers who are often left with choices that can lead to more security problems, GitHub said in a blog post.
"Security researchers often feel responsible for alerting users to a vulnerability that could be exploited," the company wrote. "If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues."
Such options "can potentially lead to a public disclosure of the vulnerability details," according to GitHub.
Repositories differ on how researchers can be contacted, with some having few if any instructions. In such cases going public can seem the only alternative, which opens the door to miscreants also finding and exploiting the data.
- GitHub's Copilot flies into its first open source copyright lawsuit
- Hey, GitHub, can you create an array compare function without breaking the GPL?
- Microsoft moves to tighten Azure DevOps security with granular access tokens
- Dropbox admits 130 of its private GitHub repos were copied after phishing attack
With the new private reporting capability, a security researcher can report a vulnerability to a public repository using the scheme. It can either accept it – signaling to the researcher the desire to collaborate to fix the flaw – or ask more questions and/or reject it.
Maintainers can enable the private reporting on GitHub.com by going to the main page of their repository, clicking on Settings, and then on "Code security and analysis" in the "Security" section. To the right of "Private vulnerability reporting," they can choose to enable or disable the feature.
"When a maintainer enables private security reporting for their repository, security researchers will see a new button in the Advisories page of the repository," according to GitHub. "The security researcher can click this button to privately report a security vulnerability to the repository maintainer."
The initiative was one of a number of announcements GitHub made at this month's GitHub Universe 2022 developer show.
No more 'naming and shaming'
GitHub's move is a welcome one in the cybersecurity field. Andrew Barratt, vice president at Coalfire, told The Register there has been a need for better collaboration between researchers and software makers, adding that "with everything from bug bounty schemes, security reporting aliases, and public name shaming on social media, private vulnerability reporting feels like an obvious solution to bring the research community together with the product community."
Casey Ellis, founder and CTO at Bugcrowd, told The Register that GitHub is not only creating a workflow to facilitate the disclosure of flaws, but even more so it's normalizing the importance of outside security feedback for FOSS maintainers and developers.
Outside the open-source world, it's normal for big bounty programs and product security incident response teams (PSIRTs) to take private reports, according to John Bambenek, principal threat hunter at Netenrich.
Mike Parkin, senior technical engineer at Vulcan Cyber, told us that major software developers like Microsoft already have ways to privately contact them about vulnerabilities.
That said, closed-source vendors can still use similar approaches to that of GitHub to generate more engagement with the community, possibly through publishing APIs or interface stubs with a reporting option for researchers, Coalfire's Barratt said.
"The first steps for those vendors are to really have an engagement model with the community they're willing to commit to," he said. "It's typically the lack of engagement, or lack of any meaningful way to collaborate, that triggers the 'name and shame' in social media, quite often with researchers publishing the worst-case scenario in order to get the attention of an executive." ®