Giving credit for Security Advisories

Since launching Security Advisories, we’ve asked many maintainers for their feedback to help us understand how advisories are being used in their projects. One of the most important pieces of feedback we heard was the desire to simply say “thanks!” to the people that contributed to the advisory. Some maintainers are already doing this today—20% of Security Advisory descriptions mention someone. Those advisories thank people for many reasons, from finding the vulnerability and creating the fix, to moral support and more.

Showing appreciation

We want to make these credits more visible so that anyone visiting an advisory can see who contributed. To do that, we’ve made “saying thanks” a core part of the Security Advisory workflow with advisory credits. 

Giving credit is simple—when editing a Security Advisory, use the Credits area at the bottom to search for the GitHub user you wish to credit, and press Enter.

The people you credit can accept or decline your credit. If accepted, GitHub shows the credit on the Security Advisory, both in the repository and in the GitHub Advisory Database.

If you’ve published a Security Advisory that mentioned a user, we’ve also gone back and processed those mentions into pending credits.

Thank you

Only the community, working together, can secure the open source software that we all rely on. With advisory credits, we want to celebrate the great collaborations that happen in the community every day.

Learn more about GitHub Security Advisories

Written by

Alex Mullans

@infin8x