{"meta":{"title":"Configuring private vulnerability reporting for a repository","intro":"Owners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/how-tos","title":"How-tos"},{"href":"/en/code-security/how-tos/report-and-fix-vulnerabilities","title":"Report and fix vulnerabilities"},{"href":"/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting","title":"Configure vulnerability reporting"},{"href":"/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configuring-private-vulnerability-reporting-for-a-repository","title":"Configure for a repository"}],"documentType":"article"},"body":"# Configuring private vulnerability reporting for a repository\n\nOwners and administrators of public repositories can allow security researchers to report vulnerabilities securely in the repository by enabling private vulnerability reporting.\n\nEnabling private vulnerability reporting gives security researchers a secure, structured way to disclose vulnerabilities directly in your repository. Once enabled, researchers can submit reports through  without resorting to public disclosure or informal channels. For background on private vulnerability reporting and how it fits into coordinated disclosure, see [About coordinated disclosure of security vulnerabilities](/en/code-security/concepts/vulnerability-reporting-and-management/about-coordinated-disclosure-of-security-vulnerabilities).\n\nThe instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see [About coordinated disclosure of security vulnerabilities](/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization).\n\n## Enabling or disabling private vulnerability reporting for a repository\n\n1. On GitHub, navigate to the main page of the repository.\n2. Under your repository name, click **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-gear\" aria-label=\"gear\" role=\"img\"><path d=\"M8 0a8.2 8.2 0 0 1 .701.031C9.444.095 9.99.645 10.16 1.29l.288 1.107c.018.066.079.158.212.224.231.114.454.243.668.386.123.082.233.09.299.071l1.103-.303c.644-.176 1.392.021 1.82.63.27.385.506.792.704 1.218.315.675.111 1.422-.364 1.891l-.814.806c-.049.048-.098.147-.088.294.016.257.016.515 0 .772-.01.147.038.246.088.294l.814.806c.475.469.679 1.216.364 1.891a7.977 7.977 0 0 1-.704 1.217c-.428.61-1.176.807-1.82.63l-1.102-.302c-.067-.019-.177-.011-.3.071a5.909 5.909 0 0 1-.668.386c-.133.066-.194.158-.211.224l-.29 1.106c-.168.646-.715 1.196-1.458 1.26a8.006 8.006 0 0 1-1.402 0c-.743-.064-1.289-.614-1.458-1.26l-.289-1.106c-.018-.066-.079-.158-.212-.224a5.738 5.738 0 0 1-.668-.386c-.123-.082-.233-.09-.299-.071l-1.103.303c-.644.176-1.392-.021-1.82-.63a8.12 8.12 0 0 1-.704-1.218c-.315-.675-.111-1.422.363-1.891l.815-.806c.05-.048.098-.147.088-.294a6.214 6.214 0 0 1 0-.772c.01-.147-.038-.246-.088-.294l-.815-.806C.635 6.045.431 5.298.746 4.623a7.92 7.92 0 0 1 .704-1.217c.428-.61 1.176-.807 1.82-.63l1.102.302c.067.019.177.011.3-.071.214-.143.437-.272.668-.386.133-.066.194-.158.211-.224l.29-1.106C6.009.645 6.556.095 7.299.03 7.53.01 7.764 0 8 0Zm-.571 1.525c-.036.003-.108.036-.137.146l-.289 1.105c-.147.561-.549.967-.998 1.189-.173.086-.34.183-.5.29-.417.278-.97.423-1.529.27l-1.103-.303c-.109-.03-.175.016-.195.045-.22.312-.412.644-.573.99-.014.031-.021.11.059.19l.815.806c.411.406.562.957.53 1.456a4.709 4.709 0 0 0 0 .582c.032.499-.119 1.05-.53 1.456l-.815.806c-.081.08-.073.159-.059.19.162.346.353.677.573.989.02.03.085.076.195.046l1.102-.303c.56-.153 1.113-.008 1.53.27.161.107.328.204.501.29.447.222.85.629.997 1.189l.289 1.105c.029.109.101.143.137.146a6.6 6.6 0 0 0 1.142 0c.036-.003.108-.036.137-.146l.289-1.105c.147-.561.549-.967.998-1.189.173-.086.34-.183.5-.29.417-.278.97-.423 1.529-.27l1.103.303c.109.029.175-.016.195-.045.22-.313.411-.644.573-.99.014-.031.021-.11-.059-.19l-.815-.806c-.411-.406-.562-.957-.53-1.456a4.709 4.709 0 0 0 0-.582c-.032-.499.119-1.05.53-1.456l.815-.806c.081-.08.073-.159.059-.19a6.464 6.464 0 0 0-.573-.989c-.02-.03-.085-.076-.195-.046l-1.102.303c-.56.153-1.113.008-1.53-.27a4.44 4.44 0 0 0-.501-.29c-.447-.222-.85-.629-.997-1.189l-.289-1.105c-.029-.11-.101-.143-.137-.146a6.6 6.6 0 0 0-1.142 0ZM11 8a3 3 0 1 1-6 0 3 3 0 0 1 6 0ZM9.5 8a1.5 1.5 0 1 0-3.001.001A1.5 1.5 0 0 0 9.5 8Z\"></path></svg> Settings**. If you cannot see the \"Settings\" tab, select the **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-kebab-horizontal\" aria-label=\"More\" role=\"img\"><path d=\"M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z\"></path></svg>** dropdown menu, then click **Settings**.\n\n   ![Screenshot of a repository header showing the tabs. The \"Settings\" tab is highlighted by a dark orange outline.](/assets/images/help/repository/repo-actions-settings.png)\n3. In the \"Security\" section of the sidebar, click **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-codescan\" aria-label=\"codescan\" role=\"img\"><path d=\"M8.47 4.97a.75.75 0 0 0 0 1.06L9.94 7.5 8.47 8.97a.75.75 0 1 0 1.06 1.06l2-2a.75.75 0 0 0 0-1.06l-2-2a.75.75 0 0 0-1.06 0ZM6.53 6.03a.75.75 0 0 0-1.06-1.06l-2 2a.75.75 0 0 0 0 1.06l2 2a.75.75 0 1 0 1.06-1.06L5.06 7.5l1.47-1.47Z\"></path><path d=\"M12.246 13.307a7.501 7.501 0 1 1 1.06-1.06l2.474 2.473a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM1.5 7.5a6.002 6.002 0 0 0 3.608 5.504 6.002 6.002 0 0 0 6.486-1.117.748.748 0 0 1 .292-.293A6 6 0 1 0 1.5 7.5Z\"></path></svg> Advanced Security**.\n4. Under \"Advanced Security\", to the right of \"Private vulnerability reporting\", click **Enable** or **Disable**, to enable or disable the feature, respectively.\n   ![Screenshot of the \"Code security and analysis\" page, showing the \"Private vulnerability reporting\" setting. The \"Enable\" button is outlined in orange.](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable-repo.png)\n\nWhen private vulnerability reporting is enabled, security researchers see a **Report a vulnerability** button on the repository’s \"Advisories\" page, which allows them to submit a private report.\n\n![Screenshot showing the \"Report a vulnerability\" button for a repository where private vulnerability reporting has been enabled.](/assets/images/help/security/report-a-vulnerability-button.png)\n\nSecurity researchers can also use the REST API to privately report security vulnerabilities. See [REST API endpoints for repository security advisories](/en/rest/security-advisories/repository-advisories#privately-report-a-security-vulnerability).\n\n## Configuring notifications for private vulnerability reporting\n\nWhen a new vulnerability is privately reported in a repository, GitHub notifies repository administrators and security managers if:\n\n* They're watching the repository for all activity or are subscribed to “Security alerts” notifications.\n* They have notifications enabled for the repository.\n\nNotifications depend on the user's notification preferences. You will receive an email notification if:\n\n* You are watching the repository with **All Activity** selected, or with **Security alerts** (available under **Custom**) selected.\n* In your notification settings, under **Subscriptions**, then under **Watching**, you have selected to receive notifications by email.\n\n1. On GitHub, navigate to the main page of the repository.\n\n2. To start watching the repository, select **<svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon octicon-eye\" aria-label=\"eye\" role=\"img\"><path d=\"M8 2c1.981 0 3.671.992 4.933 2.078 1.27 1.091 2.187 2.345 2.637 3.023a1.62 1.62 0 0 1 0 1.798c-.45.678-1.367 1.932-2.637 3.023C11.67 13.008 9.981 14 8 14c-1.981 0-3.671-.992-4.933-2.078C1.797 10.83.88 9.576.43 8.898a1.62 1.62 0 0 1 0-1.798c.45-.677 1.367-1.931 2.637-3.022C4.33 2.992 6.019 2 8 2ZM1.679 7.932a.12.12 0 0 0 0 .136c.411.622 1.241 1.75 2.366 2.717C5.176 11.758 6.527 12.5 8 12.5c1.473 0 2.825-.742 3.955-1.715 1.124-.967 1.954-2.096 2.366-2.717a.12.12 0 0 0 0-.136c-.412-.621-1.242-1.75-2.366-2.717C10.824 4.242 9.473 3.5 8 3.5c-1.473 0-2.825.742-3.955 1.715-1.124.967-1.954 2.096-2.366 2.717ZM8 10a2 2 0 1 1-.001-3.999A2 2 0 0 1 8 10Z\"></path></svg> Watch**.\n\n   ![Screenshot of the repository's main page. A dropdown menu, titled \"Watch\", is highlighted with an orange outline.](/assets/images/help/repository/repository-watch-dropdown.png)\n\n3. In the dropdown menu, select **All Activity** to receive notifications for all activity, or select **Custom**, then **Security alerts** to receive notifications only for security alerts.\n\n4. Navigate to the notification settings for your personal account. These are available at [https://github.com/settings/notifications](https://github.com/settings/notifications?ref_product=security-advisories\\&ref_type=engagement\\&ref_style=text).\n\n5. On your notification settings page, under \"Subscriptions,\" then under \"Watching,\" click the **Notify me** dropdown.\n\n6. Select \"Email\" as a notification option, then click **Save**.\n\n   ![Screenshot of the notification settings for a user account. Under \"Subscriptions\" and \"Watching\" a checkbox, titled \"Email\", is outlined in orange.](/assets/images/help/notifications/repository-watching-notification-options.png)\n\nFor more information about setting up notification preferences, see [Managing security and analysis settings for your repository](/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts) and [Configuring your watch settings for an individual repository](/en/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications#configuring-your-watch-settings-for-an-individual-repository)."}