About maintainer security advisories

You can use maintainer security advisories to privately discuss, fix, and publish information about security vulnerabilities in your repository.

Note: Maintainer security advisories are currently in public beta and subject to change.

With maintainer security advisories, you can:

  1. Create a draft advisory, and use the draft to privately discuss the impact of the vulnerability on your project
  2. Privately collaborate to fix the vulnerability in a temporary private fork
  3. Publish the advisory to alert your community of the vulnerability

GitHub will review each published advisory and may use the advisory to send security alerts to affected repositories. If the advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. For more information about security alerts, see "About security alerts for vulnerable dependencies."

Anyone with admin permissions to a repository automatically has admin permissions to all security advisories in that repository. People with admin permissions to a security advisory can add collaborators, who have write permissions to the advisory. For more information, see "Permission levels for maintainer security advisories."

To get started, see "Creating a maintainer security advisory."

You can create a security policy to give people instructions for responsibly reporting security vulnerabilities in your project. For more information, see "Adding a security policy to your repository."

Ask a human

Can't find what you're looking for?

Contact us