It has been announced that GitHub has opened up its security Advisory Database to community contributions with the aim of furthering the security of the software supply chain. Independent security researchers, academics, and enthusiasts are now able to submit their own research into security vulnerabilities into the open source development platform to provide further insight into existing vulnerabilities.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Accurate, timely, and consistent vulnerability information about open source software components is a crucial part of securing a software supply chain and driving down risk. The National Vulnerability Database (NVD) from US NIST attempts to be a list of all known vulnerabilities in any piece of software, but its shortcomings are well known. In an industry where hours can make a difference, new known vulnerabilities can take weeks to appear in NVD. Furthermore, severity scoring lacks consistency, and metadata such as the affected versions of software can be unreliable.
The problems with NVD are addressed by various security vendors with enhanced vulnerability databases, such as Synopsys’s Black Duck Security Advisories (BDSA). A dedicated team of security researchers provide much faster, more consistent, more reliable information for paying customers.
GitHub’s Advisory Database is another enhanced vulnerability database, but is publicly available and can be enhanced by community submissions. While a crowdsourced vulnerability database is an interesting idea, only time will tell if it is successful. What’s the motivation for contributors? How fast, accurate, and consistent can community contributions be?
Perhaps the combination of (1) focus on open source projects, (2) freely available information, and (3) community support will make the GitHub Advisory Database a perfect fit for the open source community, but paying customers are likely to continue requiring the speed, accuracy, and consistency of commercial enhanced vulnerability databases.
GitHub has an impressive community and all efforts to make it easier to flag security issues are welcomed.
While there have always been efforts in the security community to have an open discussion on security issues in open source libraries, it’s been slightly more directed at security practitioners. Hopefully this feature in GitHub will make it easier for everyone to submit potential security issues.
It’s been recognized over the last few years that the number of security issues being raised is rapidly growing – in 2015 6,504 CVEs were recognized, while in 2021 that more than tripled to 20,142 – and the security community dealing with reviewing these submissions have been under pressure, especially at the governmental level.
It remains to be seen the volume of new security issues this feature will add, and it would be interesting to see metrics on the number of successful, duplicate, and rejected submissions to monitor how the process is working.