Request to enable GitHub Security Advisories (GHSA) for relevant repositories
Hey folks, Can I ask everyone who is hosting their project on GitHub and is an admin of a PyPA project to enable the "Private Vulnerability Reporting <https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilit...>" feature if they don't already have a security reporting process? (Settings > Advanced Security > Private Vulnerability Reporting) This feature is a ticketing system, so you can take your time with reports without them falling through the cracks and collaborate with others more easily. I am happy to be added to GHSAs as a collaborator (@sethmlarson) if you need a second opinion or are unsure how the feature works. Also happy to answer questions about the feature. Thank you, Seth Larson
On Fri, Apr 10, 2026 at 6:11 PM Seth Larson <seth@python.org> wrote:
Can I ask everyone who is hosting their project on GitHub and is an admin of a PyPA project to enable the "Private Vulnerability Reporting" feature if they don't already have a security reporting process?
(Settings > Advanced Security > Private Vulnerability Reporting)
This feature is a ticketing system, so you can take your time with reports without them falling through the cracks and collaborate with others more easily. I am happy to be added to GHSAs as a collaborator (@sethmlarson) if you need a second opinion or are unsure how the feature works. Also happy to answer questions about the feature.
I've used this feature in many projects, and our security policy documents explicitly require routing reports this way exclusively. So I wanted to share examples of those policy files: https://github.com/pypa/gh-action-pypi-publish/blob/cef221092ed1bacb1cc03d23... / https://github.com/aio-libs/.github/blob/801b2a23b5c4cb1dd0652450f17e12e7906... — feel free to use them as templates if you need ;) -- Cheers, Sviatoslav Sydorenko
participants (2)
-
Seth Larson -
Sviatoslav Sydorenko