Description

Currently, the functionality allows reporting issues publicly using the file_github_issue mechanism (see OSS-Fuzz new project guide).
It would be useful to introduce a similar feature that supports reporting private vulnerabilities via GitHub Security Advisories.

Specifically, this could be achieved by introducing a new field such as file_github_security_advisory, which would enable automated creation of private security advisories (see Creating a repository security advisory) instead of public issues.

Proposed enhancement

• Add a file_github_security_advisory configuration option.
• Ensure the process securely authenticates and interacts with GitHub’s Security Advisory API.
• Maintain a similar workflow and UX to file_github_issue, but restricted to private advisory submissions.
• Document configuration and usage, including required permissions and GitHub token scopes.

Rationale

This feature would improve security handling workflows by allowing projects to report and triage vulnerabilities privately before disclosure, aligning with responsible disclosure best practices.

Additionally, using GitHub’s Security Advisory system is safer and more reliable than relying on manually provided email addresses, which may:

• Become outdated or inactive over time.
• Introduce risks if they belong to unverified or malicious actors.
  By leveraging GitHub’s verified security workflow, sensitive reports remain within a trusted, authenticated channel.