GitHub Security Advisories #201605
Replies: 2 comments
-
|
Hi, From what I’ve seen, it depends on how urgent the vulnerability is. If there is no active risk and the fix is already available, waiting for the CVE before publishing can make things cleaner because everything is linked together. If users are at risk or the vulnerability is already known, publishing the advisory first is usually better. The CVE can be added later. The main priority should be making sure users can protect themselves as soon as possible. |
Beta Was this translation helpful? Give feedback.
-
|
One additional consideration is how users will learn about the fix. A common responsible disclosure workflow is:
Many projects don't delay notifying users solely because a CVE identifier hasn't been issued yet. The important part is ensuring users have enough information to determine:
If a CVE is still pending, the advisory can usually be updated later to include the CVE ID and any additional references. That keeps users informed without unnecessarily delaying security guidance, while still preserving a clear disclosure timeline. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Introduce yourself
Hi everyone,
I'm currently working with the maintainers of an open-source project on a security advisory. The vulnerability has already been fixed, but we're unsure whether the advisory should be published immediately or wait until a CVE has been assigned.
Has anyone been in a similar situation? Is it generally recommended to wait for the CVE, or is publishing the advisory first considered acceptable?
I'd appreciate any advice or best practices.
Thanks!
Links (optional)
No response
Where are you in your GitHub journey?
Brand new to GitHub
And where are you going next on GitHub?
1
What technical skills or projects are you working on?
1
Got a question for us? (optional)
No response
Beta Was this translation helpful? Give feedback.
All reactions