Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.
About privately reporting a security vulnerability
Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instuctions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.
Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to repository maintainer using a simple form.
For security researchers, the benefits of using private vulnerability reporting are:
Less frustration, and less time spent trying to figure out how to contact the maintainer.
A smoother process for disclosing and discussing vulnerability details.
The opportunity to discuss vulnerability details privately with repository maintainer.
Privately reporting a security vulnerability
Security researchers can privately report a security vulnerability to repository maintainers.
On GitHub.com, navigate to the main page of the repository.
Under the repository name, click Security.
In the left sidebar, under "Reporting", click Advisories.
Click Report a vulnerability to open the advisory form.
Screenshot showing the "Report a vulnerability" button
Fill in the advisory details form.
At the bottom of the form, click Submit report. GitHub will display a message letting you know that maintainers have been notified and that you have a pending credit for this security advisory.
Tip: When the report is submitted, GitHub automatically adds the reporter of the vulnerability as a collaborator and as a credited user on the proposed advisory.
Optionally, click Start a temporary private fork if you want to start to fix the issue. Note that only the repository maintainer can merge that private fork.
The next steps depend on the action taken by the repository maintainer. For more information, search "Managing privately reported security vulnerabilities."