In an effort to further protect open source software, GitHub has announced that the GitHub Advisory Database is now open for community contributions.
While the company has its own teams of security researchers who carefully review all changes and help keep security advisories up to date, community members often have additional insight and information about CVEs, but have nowhere to go to know that can share.
For this reason, GitHub publishes the full content of its Advisory Database in a new one public repository to make it easier for the community to use this data. At the same time, the company has developed a new user interface for security researchers, academics and enthusiasts to contribute.
All data in the GitHub Advisory Database has been licensed under a Creative Commons license since the database was first created to ensure it remains free and usable by the community.
Participation in a security consultancy
To make a community contribution to a security advisory, GitHub users must first navigate to the advisory they want to contribute to and submit their research using the Suggest improvements for this vulnerability workflow. Here they can suggest changes or provide more context about packages, affected versions, affected ecosystems, and more.
The form then guides users through opening a pull request detailing the proposed changes. Once this is done, security researchers from the GitHub Security Lab and the maintainer of the project that submitted the CVE can review the request. Contributors will also be publicly credited on their GitHub profile once their post has been merged.
> GitHub launches code scanning scheme to find vulnerabilities
> Browsing your code just got easier on GitHub
> Developers can now easily sell their tools on the GitHub Marketplace
In an attempt to promote interoperability, advisories in the GitHub Advisory Database repository use the Open Source Vulnerabilities (OSV) format. Software engineer for Google’s open source security team, Oliver Chang provided more details on OSV format in a blog entrySaying:
“For open source vulnerability management to scale, security advisories must be widely available and easily endorsed by all. OSV offers this capability.”
We’ll likely learn more about this change to the GitHub Advisory Database as security researchers, academics, and enthusiasts start making their own contributions to the company’s database.
- We also highlighted the best endpoint protection software
This article was previously published on Source link