Giving credit for Security Advisories
Saying thanks is now a core part of the Security Advisory workflow.
Since launching Security Advisories, we’ve asked many maintainers for their feedback to help us understand how advisories are being used in their projects. One of the most important pieces of feedback we heard was the desire to simply say “thanks!” to the people that contributed to the advisory. Some maintainers are already doing this today—20% of Security Advisory descriptions mention someone. Those advisories thank people for many reasons, from finding the vulnerability and creating the fix, to moral support and more.
Showing appreciation
We want to make these credits more visible so that anyone visiting an advisory can see who contributed. To do that, we’ve made “saying thanks” a core part of the Security Advisory workflow with advisory credits.
Giving credit is simple—when editing a Security Advisory, use the Credits area at the bottom to search for the GitHub user you wish to credit, and press Enter.
The people you credit can accept or decline your credit. If accepted, GitHub shows the credit on the Security Advisory, both in the repository and in the GitHub Advisory Database.
If you’ve published a Security Advisory that mentioned a user, we’ve also gone back and processed those mentions into pending credits.
Thank you
Only the community, working together, can secure the open source software that we all rely on. With advisory credits, we want to celebrate the great collaborations that happen in the community every day.
Learn more about GitHub Security Advisories
Written by
Related posts
Uncovering GStreamer secrets
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.
CodeQL zero to hero part 4: Gradio framework case study
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
Attacking browser extensions
Learn about browser extension security and secure your extensions with the help of CodeQL.