GitHub security advisory feature

GitHub has introduced security advisory where the project can state the workflow for reporting security vulnerabilities. It also seems to have ways for private forks and discussions on security issues before publishing an advisory. It is still in beta but I saw the tab on CPython repository.

Doc : https://help.github.com/en/articles/about-maintainer-security-advisories
Sample doc for golang : https://github.com/golang/go/security/policy

@webknjaz has a PR up for the workflow update : https://github.com/python/cpython/pull/13526

1 Like

It’s been merged and now the page looks like https://github.com/python/cpython/security/policy.

My main objective was to redirect humans to the right locations and avoid duplicating what’s documented elsewhere but if it can be improved further this should be done :slight_smile:

As for creating advisories, I suppose only folks with high org privileges can do that and here’s a demo of how it looks like https://twitter.com/jessfraz/status/1131569352069865472

1 Like

Related blog post: https://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/