GitHub Goes Open Source On Security Research

By   ISBuzz Team
Writer , Information Security Buzz | Feb 25, 2022 08:27 am PST

It has been announced that GitHub has opened up its security Advisory Database to community contributions with the aim of furthering the security of the software supply chain. Independent security researchers, academics, and enthusiasts are now able to submit their own research into security vulnerabilities into the open source development platform to provide further insight into existing vulnerabilities.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
February 25, 2022 4:27 pm

Accurate, timely, and consistent vulnerability information about open source software components is a crucial part of securing a software supply chain and driving down risk. The National Vulnerability Database (NVD) from US NIST attempts to be a list of all known vulnerabilities in any piece of software, but its shortcomings are well known. In an industry where hours can make a difference, new known vulnerabilities can take weeks to appear in NVD. Furthermore, severity scoring lacks consistency, and metadata such as the affected versions of software can be unreliable. 

The problems with NVD are addressed by various security vendors with enhanced vulnerability databases, such as Synopsys’s Black Duck Security Advisories (BDSA). A dedicated team of security researchers provide much faster, more consistent, more reliable information for paying customers. 

GitHub’s Advisory Database is another enhanced vulnerability database, but is publicly available and can be enhanced by community submissions. While a crowdsourced vulnerability database is an interesting idea, only time will tell if it is successful. What’s the motivation for contributors? How fast, accurate, and consistent can community contributions be? 

Perhaps the combination of (1) focus on open source projects, (2) freely available information, and (3) community support will make the GitHub Advisory Database a perfect fit for the open source community, but paying customers are likely to continue requiring the speed, accuracy, and consistency of commercial enhanced vulnerability databases.

Last edited 2 years ago by Jonathan Knudsen
Gary Robinson
February 24, 2022 12:52 pm

GitHub has an impressive community and all efforts to make it easier to flag security issues are welcomed.  

While there have always been efforts in the security community to have an open discussion on security issues in open source libraries, it’s been slightly more directed at security practitioners.  Hopefully this feature in GitHub will make it easier for everyone to submit potential security issues. 

It’s been recognized over the last few years that the number of security issues being raised is rapidly growing – in 2015 6,504 CVEs were recognized, while in 2021 that more than tripled to 20,142 – and the security community dealing with reviewing these submissions have been under pressure, especially at the governmental level. 

It remains to be seen the volume of new security issues this feature will add, and it would be interesting to see metrics on the number of successful, duplicate, and rejected submissions to monitor how the process is working.

Last edited 2 years ago by Gary Robinson

Recent Posts

Would love your thoughts, please comment.x