GitHub, the largest open source software development community in the world, launched a communication channel on the platform to make it more straightforward for security researchers to report vulnerabilities to projects’ maintainers.
Vulnerability reporting has always been complicated. While researchers often feel responsible for informing users of bugs that could be exploited, there are no clear instructions on how to contact projects’ maintainers. Additionally, many open source projects are managed and supported by small cadres of volunteers who update or fix problematic code in their spare time.
The feature - announced Wednesday at GitHub Universe 2022, a global developer event for cloud, security, community, and AI - allows researchers to report bugs to maintainers directly and privately.
“Private vulnerability reporting is a collaborative solution for security researchers and open-source maintainers to report and fix vulnerabilities in open-source repositories. It provides a convenient, standardized, and secret way to report, assess, and address vulnerabilities,” GitHub CEO Thomas Dohmke said in a post.
Justin Hutchings, director of product management at GitHub, told SC Media that in the past, since it was difficult to find correct contact information, security researchers have always reported the vulnerabilities on social media or even created public issues, which could potentially lead to public disclosure of the vulnerability details.
“When the disclosures happen publicly, maintainers have no time to fix the issues before bad actors have a chance to hear about it,” Hutchings explained.
With the new feature, when a researcher reports an issue, maintainers will be notified on the platform, and they can choose to either accept it, ask more questions, or reject it. In this way, maintainers will have more control over the way vulnerability details are communicated by researchers, while cutting down on instances where maintainers are contacted publicly or through unwanted means. GitHub also believes it will make it less likely that vulnerabilities will be exposed to the public ahead of fixes.
According to Hutchings, private vulnerability reporting is free, and anyone can now sign up for the public beta. The team plan to make it generally available in early 2023.
Tim Mackey, principal security strategist at Synopsys, said the new feature has promise.
“While larger organizations are likely to have avenues for researchers to responsibly report vulnerabilities, open source projects, and in particular smaller open source projects, lack the resources to properly manage the workflows to receive, respond, and process a security report — and do so in a confidential manner,” he told SC Media in an email.
“It is great to see GitHub take this important step. Allowing open source contributors to easily and safely support their projects helps all of us make progress toward greater security,” Tzachi Zornstain, head of supply chain security at Checkmarx, added.
While a communication channel improves the likelihood of positive outcomes in the disclosure process, Jamie Scott, founding product manager at Endor Labs, warned that it also comes with greater ethical responsibility among the open source community.
By collecting vulnerabilities on the platform, Scott said that GitHub now becomes “an arbitrator” and “holder of a vast wealth of security information.” “This comes with an ethical responsibility that GitHub must take seriously to protect the information,” he told SC Media in an email.
In addition, Scott said that the community should also standardize timeframes on when the vulnerabilities should be disclosed to the public if no action is taken on them.