"GitHub Launches Channel to Ease Vulnerability Disclosure Process for Open-Source Software"
GitHub, the world's largest open-source software development community, has added a communication channel to its platform to make it easier for security researchers to report vulnerabilities to project maintainers. Reporting vulnerabilities has always been difficult. While researchers typically feel obligated to notify users of potentially exploitable bugs, there is a lack of clear instructions on contacting project maintainers. Furthermore, many open-source projects are managed and supported by small groups of volunteers who update or fix broken code in their spare time. Researchers can now report bugs to maintainers directly and privately, because of a new feature announced at GitHub Universe 2022, a global developer event for cloud, security, community, and Artificial Intelligence (AI). According to Justin Hutchings, GitHub's director of product management, in the past, because it was difficult to find correct contact information, security researchers always reported the vulnerabilities on social media or even created public issues, potentially leading to public disclosure of the vulnerability details. Using the news feature, when a researcher reports an issue, maintainers are notified, and they can choose whether to accept it, ask more questions, or reject it. This way, maintainers will have more control over how researchers communicate vulnerability details, while reducing the number of times maintainers are contacted publicly or through unwelcome means. GitHub also believes it will reduce the likelihood of vulnerabilities being exposed to the public prior to fixes. According to Hutchings, private vulnerability reporting is free, and anyone can now sign up for the public beta. The team intends to make it widely available in early 2023. While a communication channel increases the likelihood of positive outcomes in the disclosure process, Jamie Scott, founding product manager at Endor Labs, cautioned that it also entails greater ethical responsibility within the open-source community. This article continues to discuss GitHub's launch of a new channel to make it more straightforward for security researchers to report vulnerabilities to project maintainers.