Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.

{% data reusables.security-advisory.private-vulnerability-reporting-overview %}

For organization owners and security managers, the benefits of using private vulnerability reporting are: {% data reusables.security-advisory.private-vulnerability-reporting-benefits %}

The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "AUTOTITLE."

{% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}

For more information about configuring notification preferences, see "AUTOTITLE."

You can enable or disable private vulnerability reporting for new public repositories added to the organization using the {% data variables.product.prodname_github_security_configuration %}, or you can create a {% data variables.product.prodname_custom_security_configuration %}. For more information, see "AUTOTITLE" and "AUTOTITLE."

{% data reusables.security-advisory.private-vulnerability-reporting-security-researcher %}

{% data reusables.security-advisory.private-vulnerability-api %}