Publishing a maintainer security advisory

You can publish a maintainer security advisory to alert your community about a security vulnerability in your project.

Note: Maintainer security advisories are currently in public beta and subject to change.

Anyone with admin permissions to a security advisory can publish the advisory.

Before you publish an advisory, you can privately collaborate to fix the vulnerability in a temporary private fork. Publishing an advisory deletes the temporary private fork for the advisory. For more information, see "Collaborating in a temporary private fork to resolve a security vulnerability."

After you publish an advisory, anyone with read access to the repository can see the advisory. The URL for the advisory will remain the same as before you published the advisory.

GitHub will review each published advisory and may use the advisory to send security alerts to affected repositories. If the advisory comes from a fork, we'll only send an alert if the fork owns a package, published under a unique name, on a public package registry. For more information about security alerts, see "About security alerts for vulnerable dependencies."

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Security.

    Security tab

  3. In the left sidebar, click Advisories.

    Advisories tab

  4. In the "Security Advisories" list, click the advisory you'd like to publish.

  5. On the bottom of the page, in the "Required advisory information" box, click Show form.

    Show form button

  6. Complete the advisory information form, then click Update advisory.

    Update advisory button

  7. On the bottom of the page, click Publish advisory.

    Publish advisory button

Ask a human

Can't find what you're looking for?

Contact us