我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

About GitHub Security Advisories

You can use GitHub Security Advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.

本文内容

任何对仓库有管理员权限的人都可以创建安全通告。

拥有仓库管理员权限的任何人,对该仓库中的所有安全通告也拥有管理员权限。 对安全通告拥有管理员权限的人可以添加协作者,而协作者对安全通告拥有写入权限。

关于 GitHub Security Advisories

GitHub Security Advisories allows repository maintainers to privately discuss and fix a security vulnerability in a project. After collaborating on a fix, repository maintainers can publish the security advisory to publicly disclose the security vulnerability to the project's community. By publishing security advisories, repository maintainers make it easier for their community to update package dependencies and research the impact of the security vulnerabilities.

With GitHub Security Advisories, you can:

  1. Create a draft security advisory, and use the draft to privately discuss the impact of the vulnerability on your project.
  2. 在临时私有复刻中私下协作以修复漏洞。
  3. Publish the security advisory to alert your community of the vulnerability.

To get started, see "Creating a security advisory."

您可以制定安全政策,要求们负责任地报告您项目中的安全漏洞。 更多信息请参阅“添加安全政策到仓库”。

您也可以加入 GitHub Security Lab,以便浏览安全主题并参与安全工具和项目。

CVE identification numbers

GitHub Security Advisories builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list. GitHub is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers. For more information, see "About CVE" and "CVE Numbering Authorities" on the CVE website.

When you create a security advisory for a public repository on GitHub, you have the option of providing an existing CVE identification number for the security vulnerability. 如果项目中尚无表示安全漏洞的 CVE 识别码,您可以从 GitHub 请求一个 CVE 识别码。 分配 CVE 识别码一般在 72 小时内可以完成。 For more information, see "Publishing a security advisory."

Security alerts for published security advisories

GitHub 将审查每个发布的安全通告,将其添加到 GitHub Advisory Database, 并且可能使用安全通告向受影响的仓库发送安全警报。 如果安全通告来自复刻,我们仅当该复刻拥有在公共软件包注册表上以唯一名称发布的软件包时才发送警报。 此过程最长可能需要 72 小时,GitHub 可能会联系您以获取更多信息。

有关安全警报的更多信息,请参阅见“关于易受攻击依赖项的安全警报”。有关 GitHub Advisory Database 的更多信息,请参阅"浏览 GitHub Advisory Database 中的安全漏洞"。

问问别人

找不到要找的内容?

联系我们