GitHub calls for contributions to new cybersecurity Advisory Database

GitHub announced on Tuesday that their Advisory Database for security data is now open to contributions from experts. 

GitHub senior product manager Kate Catlin explained that the company has teams of security researchers that review all changes and help keep security advisories up to date. 

But with the amount of new vulnerabilities and different attack vectors emerging each day, the company believes members of its community may be able to share additional insights and intelligence on CVEs.

“GitHub believes that free and open security data is critical to empowering the industry as a whole to best secure our software supply chains. Today, we are excited to announce that the GitHub Advisory Database is now open to community contributions! GitHub is publishing the full contents of the Advisory Database to make it easier for the community to benefit from this data. We’ve also built a user interface for making contributions, which is documented below. The data is licensed under a Creative Commons license, and has been since the database’s inception, making it forever free and usable by the community,” Catlin said. 

“The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world. It is maintained by a dedicated team of full-time curators and powers the security audit experience for npm and NuGet, as well as GitHub’s own Dependabot alerts. By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software.”

GitHub has built a “suggest improvements for this vulnerability” workflow into security advisories in the database that allows researchers from GitHub Security Lab and the maintainer of the project who filed the CVE to review your request. 

The form allows you to suggest changes or provide more context on packages, affected versions, impacted ecosystems, and more.

Catlin added that the advisories in the GitHub Advisory Database repository will use the Open Source Vulnerabilities (OSV) format. Oliver Chang, software engineer for Google’s Open Source Security Team, said in order for vulnerability management in open source to scale, security advisories “need to be broadly accessible and easily contributed to by all.” 

“OSV provides that capability,” Chang said. 

GitHub repeatedly pushed its users to enable two-factor authentication last year and, in August, announced that they would stop accepting account passwords when authenticating Git operations. The platform began requiring people to use stronger authentication factors like personal access tokens, SSH keys, or OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com. 

In January they announced that two-factor authentication will be available to all users through GitHub Mobile.