In today’s world, the majority of security vulnerabilities are introduced by software engineers. To build the most secure code, we must acknowledge the reality that vulnerabilities are still inevitable. They slip through your architecture design, code review, a CI/CD pipeline filled with automated detection, and penetration testing and eventually put systems and users at risk.
GitHub and HackerOne are collaborating to help close the gap between the hacker community and software engineers to make vulnerability disclosure easier on open source maintainers.
Disclosing security vulnerabilities to an open source maintainer has proven to be difficult. As a result, people too often resort to posting public tickets on a repository, which puts their users at risk. Today at GitHub Satellite in Berlin, GitHub announced steps they are taking to solve for this problem. These two new features include the addition of a SECURITY.md file to repositories and allowing people to collaborate on security advisories.
The SECURITY.md file is intended to contain a security policy that helps people to disclose security vulnerabilities to the repository maintainers in a secure manner. To make it easy for GitHub’s maintainers to set up a policy, HackerOne is publishing an updated version of its Policy Builder, which allows you to generate a SECURITY.md file within minutes.
Hacker-powered security is more than just crowdsourcing vulnerability discovery. By integrating these practices into the development, it becomes an enablement function for software engineers to help make better architectural decisions, automate the detection of security vulnerabilities based on the past, and improve code review. We’re excited to continue to work with GitHub on closing the gap and enabling hackers to work closer with software engineers. While vulnerabilities are inevitable, by taking the guesswork out of vulnerability reporting, GitHub is helping millions of engineers contribute more secure code.