Publishing a repository security advisory

You can publish a security advisory to alert your community about a security vulnerability in your project.

Who can use this feature?

Repository owners, organization owners, security managers, and users with the admin role

In this article

Note

This article applies to repository-level security advisories in a public repository. To edit a global advisory in the GitHub Advisory Database, see Editing security advisories in the GitHub Advisory Database.

Prerequisites

Before you can publish a security advisory or request a CVE identification number, you must create a draft security advisory and provide information about the versions of your project affected by the security vulnerability. See Creating a repository security advisory and Editing a repository security advisory.

Publishing a security advisory

Warning

Whenever possible, you should add a fix version to a security advisory prior to publishing the advisory. If you don't, the advisory will be published without a fixed version, and Dependabot will alert your users about the issue without offering any safe version to update to.

  1. On GitHub, navigate to the main page of the repository.

  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.

    Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.

  3. In the left sidebar, under "Reporting", click Advisories.

  4. In the "Security Advisories" list, click the name of the security advisory you'd like to publish.

  5. Scroll to the bottom of the advisory form and click Publish advisory.

    • If you selected "Request CVE ID later", you will see a Request CVE button in place of the Publish advisory button.

    Screenshot of the "Required advisory information has been provided" area of the page. The "Publish advisory" button is outlined in orange.

Note

Publishing a security advisory deletes the temporary private fork for the security advisory.

Requesting a CVE identification number (Optional)

If you don't already have a CVE identification number for a security vulnerability in your project, you can request one from GitHub.

  1. On GitHub, navigate to the main page of the repository.

  2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.

    Screenshot of a repository header showing the tabs. The "Security" tab is highlighted by a dark orange outline.

  3. In the left sidebar, under "Reporting", click Advisories.

  4. In the "Security Advisories" list, click the name of the security advisory you'd like to request a CVE identification number for.

  5. Scroll to the bottom of the advisory form and click Request CVE.

    Screenshot of the "Required advisory information has been provided" area of the page. The "Request CVE" button is outlined in dark orange.

Further reading