GitHub introduces private bug reporting to secure software supply chain

11 Nov 2022

Image: © piter2121/Stock.adobe.com

GitHub said the feature is designed to boost collaboration between security researchers and open-source maintainers to report and fix vulnerabilities.

Microsoft-owned GitHub has launched a wave of new security features to help protect the open-source supply chain.

This includes private vulnerability reports, which allow community members to discreetly send any security issues they find to the maintainers of open-source repositories.

GitHub said this feature is designed to boost collaboration between security researchers and open-source maintainers to report and fix vulnerabilities.

The company’s CEO Thomas Dohmke said the feature is designed to bring standardisation, efficiency and discretion to vulnerability reporting workflows.

“The world runs on open source, and the software supply chain is one of the largest attack vectors today,” Dohmke said in a blog post. “Without insights into your code you may never know that you have vulnerabilities in your dependencies.”

Other security updates announced by GitHub include CodeQL vulnerability scanning support for the Ruby programming language and two new security overview options for its enterprise users.

GitHub has been focusing more on open-source security this year. At a White House summit in January, the company shared plans to up its game in the open-source software security space. This came after security vulnerabilities such as the Log4Shell flaw raised concerns.

In August, GitHub also shared plans to use the code-signing platform Sigstore to protect its open-source registry, which was impacted by a cyberattack earlier in the year.

Storing zero-day vulnerabilities

The new private vulnerability reporting feature was praised by Tzachi Zorenshtain, head of software supply chain at cybersecurity company Checkmarx. Zorenshtain said allowing streamlined communication between security researchers and open-source maintainers will “increase the safety of the overall open-source ecosystem”.

“Allowing open-source contributors to easily and safely support their projects helps all of us make progress towards greater security,” Zorenshtain said.

Founding product manager at US start-up Endor Labs, Jamie Scott, also supported the move but noted that GitHub will become “an arbitrator and holder of a vast wealth of security information” by centralising this security information.

“They become a platform that stores zero-day vulnerabilities,” Scott said. “This comes with an ethical responsibility that GitHub must take seriously to protect that information, and also an opportunity to use that data for security research, and community arbitration and risk resolution.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com