GitHub opens its vulnerabilities Advisory Database to community submissions

GitHub is opening the GitHub Advisory Database to community submissions, some two years after the Microsoft-owned code-hosting platform first launched the vulnerabilities database for public consumption.

The move fits into a broader industrial push to secure the software supply chain, and follows a recent White House-hosted open source security summit which sought to address how best to tackle flaws in community-driven software — such as the recently-discovered Log4j vulnerability.

“GitHub believes that free and open security data is critical to empowering the industry as a whole to best secure our software supply chains,” GitHub senior product manager Kate Catlin wrote in a blog post.

Search and find

The GitHub Advisory Database is a massive compendium of software dependency vulnerabilities, allowing developers to search for known issues that impact open source projects on GitHub, including specific repositories in their own projects that might be affected.

So far, GitHub has populated the database using information gleaned from various sources, including the National Vulnerability Database; a mix of machine learning and human reviews of of public code commits on GitHub; security advisories reported through GitHub; and the NPM security advisories database. Moving forward, rather than relying entirely on teams of security researchers and curators to maintain the database, review code changes, and keep the advisories up to date, GitHub will now enable community members to add their dime’s worth to the mix.

To support this new push, the entire contents of the Advisory Database has a new public repository, with a user interface for making contributions. As with the existing database, all data will be made available under a Creative Commons license, so it can be repurposed in any way.

This means that anyone from independent security researchers and academics to freelance coders can now provide additional information and context to confirmed CVEs (Common Vulnerabilities and Exposures). To do so, developers can navigate to a specific security advisory in the database, and then submit their research through the “suggest improvements for this vulnerability” option.

It’s worth noting that all community submissions will still be reviewed by GitHub and the maintainer who initially filed the CVE if known.

“By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software,” Catlin noted.