GitHub wants to help developers spot security issues before they get too serious
GitHub is making its Advisory Database open to the public
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
In an effort to further secureopen source software, GitHub has announced that the GitHub Advisory Database is now open to community contributions.
While the company has its own teams of security researchers that carefully review all changes and help keep security advisories up to date, community members often have additional insights and intelligence onCVEsbut lack a place to share this knowledge.
This is whyGitHubis publishing the full contents of its Advisory Database to a newpublic repositoryto make it easier for the community to leverage this data. At the same time, the company has built a new user interface for security researchers, academics and enthusiasts to make contributions.
All of the data in the GitHub Advisory Database is licensed under aCreative Commonslicense and has been since the database was first created to ensure that it remains free and usable by the community.
Contributing to a security advisory
In order to provide a community contribution to a security advisory, GitHub users first need to navigate to the advisory they wish to contribute to and submit their research through the “suggest improvements for this vulnerability” workflow. Here they can suggest changes or provide more context on packages, affected versions, impacted ecosystems and more.
The form will then walk users through opening a pull request that details their suggested changes. Once this done, security researchers from the GitHub Security Lab as well as the maintainer of the project who filed the CVE will be able to review the request. Contributors will also get public credit on theirGitHub profileonce their contribution has been merged.
GitHub launches code scanning scheme to hunt down vulnerabilities
Searching through your code just got easier in GitHub
Developers can now easily sell their tools on GitHub Marketplace
In an attempt to further interoperability, advisories in the GitHub Advisory Database repository use the Open Source Vulnerabilities (OSV) format. Software engineer forGoogle’s Open Source Security Team, Oliver Chang provided further details on the OSV format in ablog post, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“In order for vulnerability management in open source to scale, security advisories need to be broadly accessible and easily contributed to by all. OSV provides that capability.”
We’ll likely more on this change to the GitHub Advisory Database once security researchers, academics and enthusiasts begin making their own contributions to the company’s database.
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Nokia confirms data breach leaked third-party code, but its data is safe
Rising AI threats are making firms turn back to human intelligence
Audio-Technica AT-LP70XBT vs Victrola Hi-Res Onyx: which is the best Bluetooth turntable?
