GitHub has opened up its security Advisory Database to community contributions with the aim of furthering the security of the software supply chain.
Independent security researchers, academics, and enthusiasts are now able to submit their own research into security vulnerabilities into the open source development platform to provide further insight into existing vulnerabilities.
The process will work much like the platform’s pull requests feature that’s already used by developers to suggest changes to projects. Those with deeper insight into an existing security vulnerability will be able to submit their findings via a pull request and it will then be verified before being published.
Security researchers from the GitHub Security Lab, as well as the maintainer of the project who filed the vulnerability, are tasked with verifying each submission. If approved, the community contribution will be merged into the public advisory and credit will be displayed on the user’s profile.
To submit research to deepen the understanding of a given vulnerability, community researchers can navigate to a vulnerability’s advisory on the Advisory Database and click ‘suggest improvements for this vulnerability’ in the right-side pane on the page.
In addition to accepting community submissions, GitHub will also be publishing the contents of the Advisory Database to a new public repository to make it easier for the community to benefit from the professionally verified data.
Just like with the current data in the Advisory Database, the contents of the new public repository will be licensed under the Creative Commons license, meaning that the data will always be free and usable by the community.
What is the GitHub Advisory Database?
The GitHub Advisory Database pulls in security vulnerabilities from a number of verified sources, allowing users to search for issues that affect open source projects hosted on the platform.
Security vulnerabilities are sourced from the National Vulnerability Database, the npm security advisories database, detected issues in public commits on GitHub projects, and security advisories directly reported on GitHub.
GitHub is a CVE Naming Authority (CNA) and can assign Common Vulnerability Exposure (CVE) identification numbers for the verified security flaws that are submitted through its platform.
RELATED RESOURCE
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
The vulnerabilities listed in the Advisory Database are split into two categories: GitHub-reviewed advisories and unreviewed advisories. The verified entries in the database also inform GitHub’s Dependabot feature, which automatically alerts and updates projects when it discovers a security vulnerability.
“The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world,” said GitHub.
“It is maintained by a dedicated team of full-time curators and powers the security audit experience for npm and NuGet, as well as GitHub’s own Dependabot alerts. By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software.”
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Organizations urged to act fast after GitHub Action supply chain attackNews More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
-
Nearly a million devices were infected in a huge GitHub malvertising campaignNews Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
'GitVenom' campaign uses dodgy GitHub repositories to spread malwareNews Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Malicious GitHub repositories target users with malwareNews Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software
