benbalter
commented
6 years ago Closed david-a-wheeler closed 4 years ago
benbalter
commented
6 years ago 
Dor1s
commented
5 years ago +1, private issues is a really important piece GitHub is missing right now
jeffmcaffer
commented
5 years ago Does the new Maintainer Security Advisories address this for you?
LoneDev6
commented
4 years ago +1, private issues is a really important piece GitHub is missing right now
Still missing.. it's a really important feature and 4 years passed
caniszczyk
commented
4 years ago caniszczyk
commented
4 years ago While private github issues aren't possible the new workflow for security advisories inside github essentially allows you to accomplish what you desire: https://help.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories
david-a-wheeler
commented
4 years ago How? There's still no way for someone to privately report a vulnerability.
The new workflow does help process fixing a vulnerability, once it is known, but I don't see how someone outside the project can report the vulnerability in the first place to kick off the process. Of course, I have may have missed it, please let me know if I did.
david-a-wheeler
commented
4 years ago The cve process it does have a way to privately report vulnerabilities to a CVE Numbering Authority, but that still provides no way to privately report the problem to the actual project.
Dor1s
commented
4 years ago @caniszczyk could you please re-open this?
Please make it possible to create private issues and pull requests for public repositories on GitHub, so that vulnerability reports and fixes aren't automatically posted to the world. Many open source software projects use the GitHub issue tracker for reports, but currently attackers can simply monitor the public reports and create attacks from the hard work others have done.
This is already a known problem with GitHub, see: https://github.com/isaacs/github/issues/37 Other issue tracking systems, such as Bugzilla, already support this.
This can cause trouble for people trying to get the CII best practices badge. Criterion vulnerability_report_private, which states that, "If private vulnerability reports are supported, the project MUST include how to send the information in a way that is kept private." Projects do not have to support private vulnerability reports, but many will want to do so.. and that's when they suddenly realize that GitHub doesn't support something important they want. Instead of figuring out how to work around this lack, it'd be better to make it easy.