Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Contributions to this project are released to the public under the project's open source license.
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
github/advisory-database is the public repository for GitHub Advisory Database records. Contributions here help improve the quality, clarity, and completeness of advisory data so that developers, ecosystems, and security tools can consume consistent vulnerability metadata.
Examples of helpful contributions include:
- Correcting affected package or ecosystem information
- Fixing version ranges
- Adding or improving references
- Correcting CWEs, CVSS data, or other advisory metadata
- Updating existing advisories to better reflect already-public information
This repository is not the right place for:
- Reporting a new vulnerability that has not yet been disclosed appropriately
- Publishing proof-of-concept exploit code
- Coordinating disclosure with a maintainer or vendor
- Escalating a case where a maintainer or vendor is unresponsive
- Privately sharing sensitive details that are not yet public
This repository exists to curate and publish advisory records, not to serve as an intake or coordination channel for newly discovered vulnerabilities.
If you need to report a vulnerability to a project maintainer, please use GitHub's guidance on privately reporting a security vulnerability, which also includes instructions for repositories that do not have private vulnerability reporting enabled.
If your contribution includes sensitive or not-yet-public details, do not open a public pull request or issue here.
Please make sure that:
- The advisory you are updating already exists in this repository, or the vulnerability is already appropriate for a public advisory record
- The information you're adding is based on public, referenceable sources
- Your change follows the OSSF OSV schema
- Your pull request updates only one advisory per PR
If you want to improve multiple advisories, please submit them as separate pull requests.
- Fork and clone the repository
- Create a new branch:
git checkout -b my-name-GHSA-ID - Make your change to the advisory file
- Push to your fork and submit a pull request
- Pat yourself on the back and wait for your pull request to be reviewed and merged
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
- Follow the OSSF OSV schema
- Change one advisory per pull request
- Include links to public references that support your proposed changes
- Keep your changes focused and avoid unrelated formatting edits
Sometimes we'll need to close or redirect a contribution. Common reasons include:
- The pull request is attempting to disclose a new vulnerability rather than improve an advisory record
- The pull request includes sensitive, private, or not-yet-public information
- The change is not supported by public references
- The pull request includes changes to multiple advisories
- The contribution is better handled through a private disclosure or maintainer coordination workflow
In these cases, we may ask you to use a more appropriate reporting path instead.
Sometimes our curation team may need more information or clarification about your contribution. They will respond directly to your pull request with comments and questions. Once they have this information, they can continue reviewing your changes.
If we don't hear back after a period of time, we may close the pull request. Closing a pull request does not mean your contribution is unwelcome, it usually just means we need more information than was provided, or that we couldn't complete review in its current state.
You're always welcome to return with updated information and open a new pull request.