rossabaker
commented
1 year ago :+1: Finally, Microsoft!
It's not 100% clear to me who receives these reports. The documentation keeps informally saying "you" and "repository maintainers". This page seems most authoritative:
Who can use this feature
Anyone with admin permissions to a repository can see, review, and manage privately-reported vulnerabilities for the repository.
In practice, that would mostly be Steering, who could loop in Security. That's fine.
I don't see a way to roll it out at the org level, so there'd be some tedious clicking. Since it's a Beta feature, and since it's not easy to reliably maintain at the org level, I would propose we make this the preferred way, but not tear down the e-mail backstop.
It looks like it is now possible to report vulnerabilities directly through the GitHub UI (h/t @hamnis). Thoughts on enabling this across the orgs?
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
cc @typelevel/security