Publishing a maintainer security advisory
You can publish a maintainer security advisory to alert your community about a security vulnerability in your project.
Note: Maintainer security advisories are currently in public beta and subject to change.
Anyone with admin permissions to a security advisory can publish the advisory.
Before you publish an advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. Publishing an advisory deletes the temporary private fork for the advisory. For more information, see "Collaborating in a temporary private fork to resolve a security vulnerability."
After you publish an advisory, anyone with read access to the repository can see the advisory. The URL for the advisory will remain the same as before you published the advisory.
GitHub will review each published advisory and may use the advisory to send security alerts to affected repositories. If the advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. For more information about security alerts, see "About security alerts for vulnerable dependencies."
On GitHub, navigate to the main page of the repository.
Under your repository name, click Security.
In the left sidebar, click Advisories.
In the "Security Advisories" list, click the advisory you'd like to publish.
On the bottom of the page, in the "Required advisory information" box, click Show form.
Complete the advisory information form, then click Update advisory.
On the bottom of the page, click Publish advisory.