GitHub now allows enabling private vulnerability reporting at scale

GitHub announced that private vulnerability reporting is now generally available and can be enabled at scale, on all repositories belonging to an organization.

Once toggled on, security researchers can use this dedicated communications channel to privately disclose security issues to an open-source project’s maintainers without accidentally leaking vulnerability details.

This is “a private collaboration channel that makes it easier for researchers and maintainers to report and fix vulnerabilities on public repositories,” GitHub’s Eric Tooley and Kate Catlin .

Since its as an opt-in feature in November 2022 during the global developer event, “maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers.”

Easy to enable across an org’s repos

During the public beta test phase, the option to report private vulnerabilities could only be activated by maintainers and repository owners only on single repositories.

Starting this week, they can now enable this direct bug-reporting channel for all repositories within their organization.

GitHub has also added integration and automation support via a new that enables dispatching private reports to third-party vulnerability management systems and submitting the same report to multiple repos sharing a security flaw.

It can also be configured so private bug reporting is enabled automatically on all new public repositories.

The functionality can be enabled under ‘Code security and analysis’ by clicking the ‘Enable all’ button next to the ‘Private vulnerability reporting’ option.

Enabling private vulnerability reporting
Enabling private vulnerability reporting (GitHub)

​Owners and administrators of public repositories to ensure they receive bug reports on the same platform where they get resolved, discuss all details with researchers, and securely collaborate with them to create a patch.

After it’s enabled, security researchers can submit private security reports directly on GitHub from the Security tab under the repository name by clicking on the ‘Report a vulnerability’ in the left sidebar, under Reporting > Advisories.

Private bug reports can also be sent via the GitHub REST API using the parameters described on .

Last month, GitHub also announced that its for all public repositories.