GitHub Now Supports Private Vulnerability Reporting For Public Repositories

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Code hosting company GitHub has unveiled a new direct channel for security researchers to report vulnerabilities in public repositories.

The feature needs to be manually enabled by repository maintainers and, once active, enables security researchers to report any vulnerabilities identified in their code.

“Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting,” the Microsoft-owned platform wrote in a recent blog post.

According to the company, security researchers often feel responsible for alerting users to a vulnerability that could be exploited.

However, in the lack of clear instructions about contacting maintainers of the repository containing the vulnerability, researchers may have to disclose the vulnerability on social media or send direct messages to the maintainer, which could lead to public disclosure of the flaw details.

“The default behavior in GitHub to reporting issues is using the issues functionality (or potentially a git request),” said John Bambenek, principal threat hunter at Netenrich, referring to the previous system of disclosing vulnerabilities on GitHub.

“Both are public, which allows attackers to know there is a problem, and they can use the age of the initial report to further inform their targeting,” Bambenek told Infosecurity. “Attackers still have the window between when a patch is available and when it is universally applied. We don’t need to give them even more time.”

The new feature has therefore been designed to make it easier for security researchers to report vulnerabilities directly using a simple form.

“Full props to Github here, not just for creating a workflow to facilitate vulnerability disclosure, but more importantly, for normalizing the importance of security feedback from the outside world for F/OSS maintainers and developers,” said Casey Ellis, founder and CTO at Bugcrowd.

Upon receiving a vulnerability alert, security researchers can accept it, ask more questions or reject it. Should they decide to accept it, they will then be able to collaborate with the individual who discovered the vulnerability.

The private vulnerability reporting capability comes weeks after Checkmarx discovered a flaw in GitHub that could have reportedly enabled attackers to take control of repositories and spread malware to related apps and code.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Russian Hacker Group ToddyCat Uses Advanced Tools for Industrial-Scale Data Theft
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade
Linux Cerber Ransomware Variant Exploits Atlassian Servers
Akira Ransomware Group Rakes in $42m, 250 Organizations Impacted
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Leave a Reply

Your email address will not be published. Required fields are marked *