Since launching Security Advisories, we’ve asked many maintainers for their feedback to help us understand how advisories are being used in their projects. One of the most important pieces of feedback we heard was the desire to simply say “thanks!” to the people that contributed to the advisory. Some maintainers are already doing this today—20% of Security Advisory descriptions mention someone. Those advisories thank people for many reasons, from finding the vulnerability and creating the fix, to moral support and more.
We want to make these credits more visible so that anyone visiting an advisory can see who contributed. To do that, we’ve made “saying thanks” a core part of the Security Advisory workflow with advisory credits.
Giving credit is simple—when editing a Security Advisory, use the Credits area at the bottom to search for the GitHub user you wish to credit, and press Enter.
The people you credit can accept or decline your credit. If accepted, GitHub shows the credit on the Security Advisory, both in the repository and in the GitHub Advisory Database.
If you’ve published a Security Advisory that mentioned a user, we’ve also gone back and processed those mentions into pending credits.
Only the community, working together, can secure the open source software that we all rely on. With advisory credits, we want to celebrate the great collaborations that happen in the community every day.