| title | Privately reporting a security vulnerability | |||||||
|---|---|---|---|---|---|---|---|---|
| intro | Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers. | |||||||
| versions |
|
|||||||
| contentType | how-tos | |||||||
| permissions | **Anyone** can privately report a security vulnerability to repository maintainers. | |||||||
| shortTitle | Report privately | |||||||
| redirect_from |
|
|||||||
| category |
|
{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
Note
- If you have admin or security permissions for a public repository, you don’t need to submit a vulnerability report. Instead, create a draft security advisory directly. See AUTOTITLE.
- Private vulnerability reporting is separate from a repository’s
SECURITY.mdfile. You can only report vulnerabilities privately for repositories where this feature is enabled, and you don’t need to follow the instructions inSECURITY.md.
If a public repository has private vulnerability reporting enabled, anyone can submit a private vulnerability report to the repository maintainers.
If the repository doesn't have private vulnerability reporting enabled, you need to initiate the reporting process by following the instructions in the security policy for the repository, or by creating an issue asking the maintainers for a preferred security contact. See AUTOTITLE.
{% data reusables.security-advisory.reporting-a-vulnerability-non-admin %}
The next steps depend on the action taken by the repository maintainer. See AUTOTITLE.
