Private vulnerability reporting now generally available

GitHub has announced the general availability of its private vulnerability reporting feature, designed to streamline the process of reporting and fixing vulnerabilities in public repositories by creating a private collaboration channel between researchers and maintainers. Initially introduced in public beta at GitHub Universe 2022, the feature has since been adopted by over 30,000 organizations on more than 180,000 repositories, facilitating over 1,000 submissions from security researchers. This tool allows maintainers like Jordan Tucker of JSON5 to manage vulnerability disclosures more efficiently, avoiding public discussions and cumbersome email threads, and has proven effective in addressing security issues, as demonstrated by the more than 11 million alerts triggered for a JSON5 vulnerability. Security researchers, such as Marco Squarcina, also benefit by being able to submit vulnerabilities directly through GitHub without relying on potentially ignored emails. The feature now includes enhancements like enabling it across all repositories within an organization and integration with third-party systems, alongside GitHub's other security tools, offering it for free on public repositories.