[EDI] Publishing a repository security advisory (#59594)

sabrowning1 · sophietheking · web-flow · commit 821ff2e80bad · 2026-02-20T16:32:51.000Z
Co-authored-by: Sophie &lt;29382425+sophietheking@users.noreply.github.com&gt;
diff --git a/content/code-security/concepts/vulnerability-reporting-and-management/about-repository-security-advisories.md b/content/code-security/concepts/vulnerability-reporting-and-management/about-repository-security-advisories.md
@@ -29,9 +29,9 @@ topics:
 
 With repository security advisories, you can:
 
-1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory).
+1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project.
 1. Privately collaborate to fix the vulnerability in a temporary private fork.
-1. Publish the security advisory to alert your community of the vulnerability once a patch is released. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory).
+1. Publish the security advisory to alert your community of the vulnerability once a patch is released.
 
 {% data reusables.repositories.security-advisories-republishing %}
 
@@ -58,8 +58,30 @@ If a security advisory is specifically for npm, we also publish the advisory to
 When you create a security advisory for a public repository on {% data variables.product.prodname_dotcom %}, you have the option of providing an existing CVE identification number for the security vulnerability. {% data reusables.repositories.request-security-advisory-cve-id %}
 
 Once you've published the security advisory and {% data variables.product.prodname_dotcom %} has assigned a CVE identification number to the vulnerability, {% data variables.product.prodname_dotcom %} publishes the CVE to the MITRE database.
-For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory).
 
-## {% data variables.product.prodname_dependabot_alerts %} for published security advisories
+## Publication of security advisories
 
-{% data reusables.repositories.github-reviews-security-advisories %}
+Publishing a security advisory notifies your community about the vulnerability it addresses, making it easier for them to update package dependencies and research the impact of the vulnerability.
+
+When you publish a draft advisory from a public repository, visibility levels vary as follows:
+
+* **Anyone** can see the current version of the advisory data, as well as any advisory credits that the credited users have accepted.
+* **Collaborators** can view the conversation history of the advisory.
+
+The URL of a security advisory does not change after publication.
+
+If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. See [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory).
+
+### {% data variables.product.prodname_dependabot_alerts %} for published security advisories
+
+{% data variables.product.prodname_dotcom %} will review each published security advisory, add it to the {% data variables.product.prodname_advisory_database %}, and may use the security advisory to send {% data variables.product.prodname_dependabot_alerts %} to affected repositories. If the security advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. This process can take up to 72 hours and {% data variables.product.prodname_dotcom %} may contact you for more information.
+
+### Importance of fix versions
+
+Whenever possible, you should **add a fix version to a security advisory prior to publishing the advisory**. If you don't, the advisory will be published without a fixed version, and {% data variables.product.prodname_dependabot %} will alert your users about the issue, without offering any safe version to update to.
+
+Depending on the vulnerability, you may need to adjust your approach. If a fix version is:
+
+* **Imminently available**, and you are able to, wait to disclose the issue when the fix is ready.
+* **In development but not yet available**, mention this in the advisory, and edit the advisory later, after publication.
+* **Not planned**, be clear about it in the advisory so that your users don't contact you to ask when a fix will be made. In this case, it is helpful to include steps users can take to mitigate the issue.
diff --git a/content/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/publishing-a-repository-security-advisory.md b/content/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/publishing-a-repository-security-advisory.md
@@ -27,61 +27,28 @@ shortTitle: Publish repository advisory
 
 ## Prerequisites
 
-Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory).
-
-If you've created a security advisory but haven't yet provided details about the versions of your project that the security vulnerability affects, you can edit the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory).
-
-## About publishing a security advisory
-
-When you publish a security advisory, you notify your community about the security vulnerability that the security advisory addresses. Publishing a security advisory makes it easier for your community to update package dependencies and research the impact of the security vulnerability.
-
-{% data reusables.repositories.security-advisories-republishing %}
-
-Before you publish a security advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability).
-
-> [!WARNING]
-> Whenever possible, you should always add a fix version to a security advisory prior to publishing the advisory. If you don't, the advisory will be published without a fixed version, and {% data variables.product.prodname_dependabot %} will alert your users about the issue, without offering any safe version to update to.
->
-> We recommend you take the following steps in these different situations:
->
-> * If a fix version is imminently available, and you are able to, wait to disclose the issue when the fix is ready.
-> * If a fix version is in development but not yet available, mention this in the advisory, and edit the advisory later, after publication.
-> * If you are not planning to fix the issue, be clear about it in the advisory so that your users don't contact you to ask when a fix will be made. In this case, it is helpful to include steps users can take to mitigate the issue.
-
-When you publish a draft advisory from a public repository, everyone is able to see:
-
-* The current version of the advisory data.
-* Any advisory credits that the credited users have accepted.
-
-> [!NOTE]
-> The general public will never have access to the edit history of the advisory, and will only see the published version.
-
-After you publish a security advisory, the URL for the security advisory will remain the same as before you published the security advisory. Anyone with read access to the repository can see the security advisory. Collaborators on the security advisory can continue to view past conversations, including the full comment stream, in the security advisory unless someone with admin permissions removes the collaborator from the security advisory.
-
-If you need to update or correct information in a security advisory that you've published, you can edit the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory).
+Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. See [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory) and [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory).
 
 ## Publishing a security advisory
 
-Publishing a security advisory deletes the temporary private fork for the security advisory.
+> [!WARNING]
+> Whenever possible, you should add a fix version to a security advisory prior to publishing the advisory. If you don't, the advisory will be published without a fixed version, and {% data variables.product.prodname_dependabot %} will alert your users about the issue without offering any safe version to update to.
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
 {% data reusables.repositories.sidebar-advisories %}
 1. In the "Security Advisories" list, click the name of the security advisory you'd like to publish.
 1. Scroll to the bottom of the advisory form and click **Publish advisory**.
+    * If you selected "Request CVE ID later", you will see a **Request CVE** button in place of the **Publish advisory** button.
 
    ![Screenshot of the "Required advisory information has been provided" area of the page. The "Publish advisory" button is outlined in orange.](/assets/images/help/security/publish-advisory-button.png)
 
   > [!NOTE]
-  > If you selected "Request CVE ID later", you will see a **Request CVE** button in place of the **Publish advisory** button. For more information, see [Requesting a CVE identification number (Optional)](#requesting-a-cve-identification-number-optional) below.
-
-## {% data variables.product.prodname_dependabot_alerts %} for published security advisories
-
-{% data reusables.repositories.github-reviews-security-advisories %}
+  > Publishing a security advisory deletes the temporary private fork for the security advisory.
 
 ## Requesting a CVE identification number (Optional)
 
-{% data reusables.repositories.request-security-advisory-cve-id %} For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers).
+If you don't already have a CVE identification number for a security vulnerability in your project, you can request one from {% data variables.product.github %}.
 
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
diff --git a/data/reusables/repositories/github-reviews-security-advisories.md b/data/reusables/repositories/github-reviews-security-advisories.md
