To report a vulnerability in a GitHub repository, please follow these steps:
Navigate to the main page of the repository. Under the repository name, click Security. Click Report a vulnerability to open the advisory form. Fill in the advisory details form. At the bottom of the form, click Submit report.
- Where to go
You can report a vulnerability in any GitHub repository, regardless of whether you are a contributor or not.
How often you can expect to get an update on a reported vulnerability
The repository maintainers will endeavor to respond to all vulnerability reports within 72 hours. However, in some cases, it may take longer to investigate and respond to a report, depending on the complexity of the vulnerability.
What to expect if the vulnerability is accepted or declined
If you disagree with the repository maintainers' decision to accept or decline your vulnerability report, you can contact them directly to discuss your concerns.
- Additional information
Please note that the following types of vulnerabilities are not eligible for reporting through the GitHub security advisory feature:
Vulnerabilities in third-party libraries or dependencies Vulnerabilities in code that is not publicly accessible Vulnerabilities that are already publicly known Vulnerabilities that are not security-related If you are unsure whether or not a vulnerability is eligible for reporting, please contact the repository maintainers directly.