"GitHub Launches Private Bug Reporting, Package Provenance Features"

GitHub is launching a new feature that enables the collaboration between security researchers and developers in quickly and privately resolving vulnerability reports. The private vulnerability reporting channel makes it easier for researchers to submit bug reports to developers and provides developers with a single, clear communication channel with researchers. Researchers who wanted to report a bug to a GitHub repository's maintainer previously had limited options. They could either open an issue for the specific repository or email the repository's maintainer, both of which were burdensome and lacked security. The new feature provides a secure channel for the parties to communicate about vulnerability reports without doing so publicly or through email correspondence. Since GitHub announced the public beta of the program in November 2022, over 30,000 organizations have enabled the feature for more than 180,000 repositories. With one setting, organizations can enable private vulnerability reporting across all of their projects, and the capability allows maintainers to automatically send new findings to third-party vulnerability management applications. Researchers can also use an Application Programming Interface (API) to initiate new bug reports on multiple repositories simultaneously. In addition to the private vulnerability reporting tool, GitHub is releasing a feature enabling developers to provide provenance information about their projects on npm, the repository managed by GitHub. This article continues to discuss the private bug reporting and package provenance features launched by GitHub. 

Decipher reports "GitHub Launches Private Bug Reporting, Package Provenance Features"