Question regarding republishing CVE's via GitHub Advisories

[tomaarsen]

Hello!

The GitHub documentation states that:

You can also use GitHub Security Advisories to republish the details of a security vulnerability that you have already disclosed elsewhere by copying and pasting the details of the vulnerability into a new security advisory.

Is this practice recommended for CVE's discosed via huntr.dev? My understanding is that this will also publish the CVE on https://github.com/advisories, and send a Dependabot alert to affected repositories. Note that this simply re-uses the CVE number, and does not re-publish the CVE on e.g. MITRE.

• Tom

[adam-nygate]

Hey @tomaarsen 👋

Unfortunately, I don't believe GitHub exposes an API to their Security Advisories DB that would allow us to automatically publish the CVEs we issue to their interface. However, I'm pretty sure that they pull CVEs into their database - you can see some of the ones we've issued here.

[tomaarsen]

Ooh, that is interesting. That saves some time. Sadly GitHub does not seem to allow the project owners to modify these advisories any further, which is a shame, but so be it. Thanks for the heads up!