Skip to content

publishing-a-repository-security-advisory.md

Latest commit

 

History

History
60 lines (46 loc) · 3.72 KB

publishing-a-repository-security-advisory.md

File metadata and controls

60 lines (46 loc) · 3.72 KB
title Publishing a repository security advisory
intro You can publish a security advisory to alert your community about a security vulnerability in your project.
permissions {% data reusables.permissions.security-repo-enable %}
redirect_from
/articles/publishing-a-maintainer-security-advisory
/github/managing-security-vulnerabilities/publishing-a-maintainer-security-advisory
/github/managing-security-vulnerabilities/publishing-a-security-advisory
/code-security/security-advisories/publishing-a-security-advisory
/code-security/repository-security-advisories/publishing-a-repository-security-advisory
/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory
/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory
versions
fpt ghec
*
*
contentType how-tos
shortTitle Publish repository advisory
category
Report and disclose vulnerabilities

{% data reusables.security-advisory.repository-level-advisory-note %}

Prerequisites

Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. See AUTOTITLE and AUTOTITLE.

Publishing a security advisory

Warning

Whenever possible, you should add a fix version to a security advisory prior to publishing the advisory. If you don't, the advisory will be published without a fixed version, and {% data variables.product.prodname_dependabot %} will alert your users about the issue without offering any safe version to update to.

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-advisories %}

  1. In the "Security Advisories" list, click the name of the security advisory you'd like to publish.

  2. Scroll to the bottom of the advisory form and click Publish advisory.

    • If you selected "Request CVE ID later", you will see a Request CVE button in place of the Publish advisory button.

    Screenshot of the "Required advisory information has been provided" area of the page. The "Publish advisory" button is outlined in orange.

Note

Publishing a security advisory deletes the temporary private fork for the security advisory.

Requesting a CVE identification number (Optional)

If you don't already have a CVE identification number for a security vulnerability in your project, you can request one from {% data variables.product.github %}.

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %} {% data reusables.repositories.sidebar-advisories %}

  1. In the "Security Advisories" list, click the name of the security advisory you'd like to request a CVE identification number for.

  2. Scroll to the bottom of the advisory form and click Request CVE.

    Screenshot of the "Required advisory information has been provided" area of the page. The "Request CVE" button is outlined in dark orange.

Further reading