title | intro | permissions | versions | type | topics | shortTitle | redirect_from | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configuring private vulnerability reporting for an organization |
Organization owners and security managers can allow security researchers to report vulnerabilities securely in repositories within the organization by enabling private vulnerability reporting for all its public repositories. |
Anyone with admin permissions to an organization, or with a security manager role within the organization, can enable and disable private vulnerability reporting for that organization. |
|
how_to |
|
Configure for an organization |
|
Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.
{% data reusables.security-advisory.private-vulnerability-reporting-overview %}
For organization owners and security managers, the benefits of using private vulnerability reporting are: {% data reusables.security-advisory.private-vulnerability-reporting-benefits %}
The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "AUTOTITLE."
{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}
For more information about configuring notification preferences, see "AUTOTITLE."
Enabling or disabling private vulnerability reporting for public repositories added to the organization
You can enable or disable private vulnerability reporting for new public repositories added to the organization using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "AUTOTITLE" and "AUTOTITLE."
What having private vulnerability reporting enabled for a repository looks like for a security researcher
{% data reusables.security-advisory.private-vulnerability-reporting-security-researcher %}
{% data reusables.security-advisory.private-vulnerability-api %}