Security News > 2022 > November > GitHub sets up private vulnerability reports for public repos to avoid 'naming and shaming'
GitHub is offering a scheme for security researchers to privately report vulnerabilities found in public repositories.
Being able to privately report code flaws is important to researchers who are often left with choices that can lead to more security problems, GitHub said in a blog post.
With the new private reporting capability, a security researcher can report a vulnerability to a public repository using the scheme.
"The security researcher can click this button to privately report a security vulnerability to the repository maintainer."
Rew Barratt, vice president at Coalfire, told The Register there has been a need for better collaboration between researchers and software makers, adding that "With everything from bug bounty schemes, security reporting aliases, and public name shaming on social media, private vulnerability reporting feels like an obvious solution to bring the research community together with the product community."
Casey Ellis, founder and CTO at Bugcrowd, told The Register that GitHub is not only creating a workflow to facilitate the disclosure of flaws, but even more so it's normalizing the importance of outside security feedback for FOSS maintainers and developers.