You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,9 +14,9 @@ The initial report of a vulnerability is made privately, and the full details ar
14
14
15
15
#### Best practices for security researchers
16
16
17
-
Security researchers should try to report vulnerabilities privately to maintainers. When possible, please avoid:
17
+
Security researchers should try to report vulnerabilities privately to maintainers. When possible, as a security researcher, you should avoid:
18
18
- Disclosing the vulnerability publicly
19
-
- Bypassing the maintainer
19
+
- Bypassing the maintainers
20
20
- Disclosing the vulnerability before a fixed version of the code is available
21
21
- Expecting to be compensated for reporting an issue, where no public bounty program exists
22
22
@@ -25,28 +25,32 @@ It's acceptable for security researchers to disclose a vulnerability publicly af
25
25
#### Best practices for maintainers
26
26
27
27
Maintainers should disclose vulnerabilities in a timely manner. If there is a security vulnerability in your repository, you should:
28
-
- Treat the vulnerability as a security issue rather than a simple bug
28
+
- Treat the vulnerability as a security issue rather than a simple bug, both in your response and your disclosure. For example, you'll need to explicitly mention that the issue is a security vulnerability in the release notes.
29
29
- Plan to disclose the vulnerability responsibly
30
30
- Give credit where credit is due
31
31
- Aim to publish a fix as soon as you can
32
32
33
33
Publishing the details of a security vulnerability doesn't make maintainers look bad. Security vulnerabilities are present everywhere in software nowadays, and users will trust maintainers who have a clear and established process for disclosing security vulnerabilities in their code.
34
34
35
-
### About reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}
35
+
### About reporting and disclosing vulnerabilities in projects on {% data variables.product.prodname_dotcom %}
36
36
37
37
The process for reporting and disclosing vulnerabilities for projects on {% data variables.product.prodname_dotcom_the_website %} is as follows:
38
38
39
-
If you are a security researcher who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see "[About security policies](/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository#about-security-policies)." If there is one, follow it to understand the process before contacting the security team for that repository. If there isn't a security policy for the repository, you may try to privately contact the maintainer based on information available in the _security.md_ file.
39
+
If you are a security researcher who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see "[About security policies](/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository#about-security-policies)." If there is one, follow it to understand the process before contacting the security team for that repository. If there isn't a security policy for the repository, you may try to privately contact the maintainers based on information available in the _security.md_ file.
40
40
41
41
{% note %}
42
42
43
43
**Note**: _For npm only_ - If we receive a report of malware in an npm package, we try to contact you privately. If you don't address the issue in a timely manner, we will disclose it. For more information, see "[Reporting malware in an npm package](https://docs.npmjs.com/reporting-malware-in-an-npm-package)" on the npm Docs website.
44
44
45
45
{% endnote %}
46
46
47
+
If you've found a security vulnerability in {% data variables.product.prodname_dotcom_the_website %}, please report the vulnerability through our responsible disclosure process. For more information, see the [{% data variables.product.prodname_dotcom %} Security Bug Bounty](https://bounty.github.com/) website.
48
+
47
49
If you are a maintainer, it's likely that a security researcher will email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue.
48
50
49
51
As a maintainer, to disclose a vulnerability that exists in your repository, you first create a draft security advisory in your package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)."
50
52
51
53
52
54
To get started, see "[Creating a security advisory](/github/managing-security-vulnerabilities/creating-a-security-advisory)."
Copy file name to clipboardExpand all lines: content/github/managing-security-vulnerabilities/about-github-security-advisories.md
+1-5Lines changed: 1 addition & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,11 +24,7 @@ With {% data variables.product.prodname_security_advisories %}, you can:
24
24
2. Privately collaborate to fix the vulnerability in a temporary private fork.
25
25
3. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see "[Publishing a security advisory](/github/managing-security-vulnerabilities/publishing-a-security-advisory)."
26
26
27
-
{% note %}
28
-
29
-
**Note**: {% data variables.product.prodname_dotcom %} and npm currently publish advisories on both [github.com/advisories](https://github.com/advisories) and [npmjs.com/advisories](https://www.npmjs.com/advisories).
30
-
31
-
{% endnote %}
27
+
If you created a security advisory in your repository, the security advisory will stay in your repository. We publish security advisories for any of the ecosystems supported by the dependency graph to the {% data variables.product.prodname_advisory_database %} on [github.com/advisories](https://github.com/advisories). If a security advisory is specifically for npm, we also publish the advisory to the npm security advisories. For more information, see [npmjs.com/advisories](https://www.npmjs.com/advisories).
32
28
33
29
{% data reusables.repositories.security-advisories-republishing %}
Vulnerability disclosure is an area where collaboration between security researchers and project maintainers is very important, from the moment a potentially harmful security vulnerability is found, right until a vulnerability is disclosed to the world, ideally with a patch available. Typically, when someone lets a maintainer know privately about a security vulnerability, the maintainer develops a fix, validates it, and notifies the users of a project or a package.
1
+
Vulnerability disclosure is an area where collaboration between security researchers and project maintainers is very important, from the moment a potentially harmful security vulnerability is found, right until a vulnerability is disclosed to the world, ideally with a patch available. Typically, when someone lets a maintainer know privately about a security vulnerability, the maintainer develops a fix, validates it, and notifies the users of the project or package.
0 commit comments