Keeping threat actors out of the loop
GitHub is allowing developers to notify their peers of discovered vulnerabilities – quietly. The company says this will avoid the “name and shame” game and prevent exploitations that might result from public disclosure.
In a blog post earlier this week, GitHub said given the way that platform is currently set up, sometimes there’s no other option but to disclose a vulnerability publicly – and before malware removal software can be deployed – alerting potential threat actors.
“Security researchers often feel responsible for alerting users to a vulnerability that could be exploited,” the blog reads. “If there are no clear instructions about contacting maintainers of the repository containing the vulnerability. It can potentially lead to a public disclosure of the vulnerability details.”
Private vulnerability reporting
To tackle the issue, GitHub has now introduced private vulnerability reporting – essentially a simple reporting form.
When a developer tries to reach out to the maintainer of the affected vulnerability via Private vulnerability reporting, the latter can choose to either accept it, ask more questions, or reject it.
“If you accept the report, you’re ready to collaborate on a fix for the vulnerability in private with the security researcher,” the post explains.
The Microsoft-owned platform also hopes this disclosure method will streamline troubleshooting efforts, since reports are dealt with in a single place. Furthermore, it gives maintainers the opportunity to discuss vulnerability details in private with security researchers and ultimately use patch management software to collaborate on a fix.
The repository’s community has welcomed the news, The Register reported. It spoke to multiple CTOs, technical engineers and threat hunters, all of which agree that such a feature was in high demand on GitHub.