GitHub has announced the GitHub Advisory Database is now open to community contributions, allowing anyone to contribute security information to advisories to better secure software supply chains.
The world of open source security is fast moving, GitHub says, with new vulnerabilities and different attack vectors driving the community to continuously seek to learn more. GitHub has teams of security researchers that review all changes and help keep security advisories up to date, but often there are community members with additional insights and intelligence on CVEs that do not have a place to share this knowledge.
GitHub is publishing the full contents of the Advisory Database to a new public repository to make it easier for the community to benefit from this data. It has also built a user interface for making contributions. The data is licensed under a Creative Commons license, and has been since the databases inception, making it forever free and usable by the community.
The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world. It is maintained by a dedicated team of full-time curators and powers the security audit experience for npm and NuGet, as well as GitHub's own Dependabot alerts. By making it easier to contribute to and consume, Github says it hopes it will power more experiences and will further help improve the security of all software.
How to contribute to a security advisory
With community contributions, security researchers, academics, and enthusiasts will now be able to provide additional information and context to further the community's understanding and awareness of security advisories. To provide a community contribution to a security advisory, navigate to the advisory to which you wish to contribute to, and submit your research through the suggest improvements for this vulnerability workflow.
To complete your submission, the form will walk you through opening a pull request that details your suggested changes. Once the pull request is open, security researchers from the GitHub Security Lab, as well as the maintainer of the project who filed the CVE (if known), will be able to review your request. Contributors will get public credit on their GitHub profile once their contribution is merged!
Advisory Database format
In the spirit of furthering interoperability, advisories in the GitHub Advisory Database repository use the Open source Vulnerabilities (OSV) format. In order for vulnerability management in open source to scale, security advisories need to be broadly accessible and easily contributed to by all, said Oliver Chang, software engineer for Googles Open source Security Team. OSV provides that capability.
Learn more about GitHub supply chain security
The GitHub Advisory Database is the foundation of GitHubs supply chain security capabilities, including Dependabot alerts and Dependabot security updates. If you have a security vulnerability in an open source repository that you maintain, the built-in security advisories feature in every GitHub open source repository can help.