GitHub Advisory Database is the largest database of vulnerabilities in software dependencies.
It also lets the repository managers/contributors privately discuss and fix a vulnerability before disclosing it to the database.
While it was useful at times, it did not have any inputs from the community, but only verified sources.
Now, to add more information to the database, and enhance the awareness of security advisories, GitHub made the database open to community contribution.
In other words, any open-source contributor can now add more information for a vulnerability, or share any other insight they have.
Ultimately, it should help improve the state of open-source software security. Let me highlight more details on it.
Free and Open Security Data
Overall, the available information on the existing Advisory Database and the new public repository (combined) should benefit the industry and the community.
The advisories in the repository use the Open Source Vulnerabilities (OSV) format to keep things convenient for all.
Oliver Chang, a software engineer for Google’s Open Source Security Team said:
“In order for vulnerability management in open source to scale, security advisories need to be broadly accessible and easily contributed to by all,” “OSV provides that capability.”
The availability of the security database and the ability for the community to contribute their insights/knowledge should enhance the information available.
Contributing to Security Advisory
As of now, any open-source contributor can use a pull request to add information to the public repository of security advisories.
To get started, you need to navigate through the advisories listed, and then access the details. If you think, you can add more information about the vulnerability, you can hit “Suggest improvements for this vulnerability“.
Here, you will get a form where you can add the necessary details and submit your improvement suggestions.
The pull requests/additions will be reviewed by the maintainers of the project, and the security researchers from the GitHub Security lab. So, a pull request does not mean that the information will be added to the database, it is subject to approval.
Community Support Essential for Securing Software Supply Chains
With the huge number of open-source software dependencies and tools, it only makes sense to involve everyone interested to improve the information available for security vulnerabilities.
Every tip and trick added to the database should help developers, repository maintainers, and others to secure their tools while also being able to help their users quickly mitigate it.
The more awareness and information about known vulnerabilities, the easier it is to fix or tackle them.
After all, the open-source way should solve a lot of problems for open-source software security. What do you think?