GitHub has created a communication channel that will allow researchers to disclo.se vulnerabilities to project maintainers more easily. Previously, it was often difficult to find contact information and vulnerabilities were reported over social media. The private vulnerability reporting feature is free and is currently in beta.
- The idea is this is private notification of flaws, and package maintainers can elect to ignore or seek more information. I know it’s upsetting to have someone tell you your code is broken, you worked really hard on it, but it’s better to have a direct approach than learning it’s being spread over social media. Learn to embrace and respond to the feedback, the goal is to raise the bar, not denigrate the developer. make sure that your company has a security link on their web site which leads to clear flaw reporting instructions for the same reasons.
- Microsoft acquired GitHub a bit over 4 years ago and GitHub just announced it had passed $1B in revenue – good to see more (needed) investment by GitHub in security. If your company’s product is software, this is also a good reminder to check if you have the processes and contact points in place to rapidly learn of and deal with vulnerabilities in your product. All too often, for example, www.yourcompany.com/security is hyping up product security features vs. making it easy for someone to report a bug and get an acknowledgement.
Read more in