It has been announced that GitHub has opened up its security Advisory Database to community contributions with the aim of furthering the security of the software supply chain. Independent security researchers, academics, and enthusiasts are now able to submit their own research into security vulnerabilities into the open source development platform to provide further insight into existing vulnerabilities.

Experts Comments

February 24, 2022
Gary Robinson
CSO
Uleska

GitHub has an impressive community and all efforts to make it easier to flag security issues are welcomed.  

While there have always been efforts in the security community to have an open discussion on security issues in open source libraries, it’s been slightly more directed at security practitioners.  Hopefully this feature in GitHub will make it easier for everyone to submit potential security issues. 

It’s been recognized over the last few years that the number of security issues being

.....Read More

GitHub has an impressive community and all efforts to make it easier to flag security issues are welcomed.  

While there have always been efforts in the security community to have an open discussion on security issues in open source libraries, it’s been slightly more directed at security practitioners.  Hopefully this feature in GitHub will make it easier for everyone to submit potential security issues. 

It’s been recognized over the last few years that the number of security issues being raised is rapidly growing – in 2015 6,504 CVEs were recognized, while in 2021 that more than tripled to 20,142 – and the security community dealing with reviewing these submissions have been under pressure, especially at the governmental level. 

It remains to be seen the volume of new security issues this feature will add, and it would be interesting to see metrics on the number of successful, duplicate, and rejected submissions to monitor how the process is working.

  Read Less
February 25, 2022
Jonathan Knudsen
Senior Security Strategist
Synopsys

Accurate, timely, and consistent vulnerability information about open source software components is a crucial part of securing a software supply chain and driving down risk. The National Vulnerability Database (NVD) from US NIST attempts to be a list of all known vulnerabilities in any piece of software, but its shortcomings are well known. In an industry where hours can make a difference, new known vulnerabilities can take weeks to appear in NVD. Furthermore, severity scoring lacks

.....Read More

Accurate, timely, and consistent vulnerability information about open source software components is a crucial part of securing a software supply chain and driving down risk. The National Vulnerability Database (NVD) from US NIST attempts to be a list of all known vulnerabilities in any piece of software, but its shortcomings are well known. In an industry where hours can make a difference, new known vulnerabilities can take weeks to appear in NVD. Furthermore, severity scoring lacks consistency, and metadata such as the affected versions of software can be unreliable. 

The problems with NVD are addressed by various security vendors with enhanced vulnerability databases, such as Synopsys’s Black Duck Security Advisories (BDSA). A dedicated team of security researchers provide much faster, more consistent, more reliable information for paying customers. 

GitHub’s Advisory Database is another enhanced vulnerability database, but is publicly available and can be enhanced by community submissions. While a crowdsourced vulnerability database is an interesting idea, only time will tell if it is successful. What’s the motivation for contributors? How fast, accurate, and consistent can community contributions be? 

Perhaps the combination of (1) focus on open source projects, (2) freely available information, and (3) community support will make the GitHub Advisory Database a perfect fit for the open source community, but paying customers are likely to continue requiring the speed, accuracy, and consistency of commercial enhanced vulnerability databases.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.