Background
OSS-Fuzz currently supports filing public GitHub issues when bugs are found via the file_github_issue configuration option in project.yaml files. However, many projects need a way to report security vulnerabilities privately before public disclosure, following responsible disclosure practices.
GitHub Security Advisories provide a secure, authenticated channel for privately reporting vulnerabilities, which is more reliable than email-based reporting (which can become outdated or go to unverified recipients).
Related OSS-Fuzz issue: google/oss-fuzz#14230
Proposed Enhancement
Add support for a new file_github_security_advisory configuration option in OSS-Fuzz project.yaml files that would automatically create private GitHub Security Advisories instead of (or in addition to) public issues.
Configuration Example
homepage: "https://github.com/example/project"
language: c++
primary_contact: "security@example.com"
main_repo: "https://github.com/example/project"
file_github_security_advisory: true # New option
Background
OSS-Fuzz currently supports filing public GitHub issues when bugs are found via the
file_github_issueconfiguration option inproject.yamlfiles. However, many projects need a way to report security vulnerabilities privately before public disclosure, following responsible disclosure practices.GitHub Security Advisories provide a secure, authenticated channel for privately reporting vulnerabilities, which is more reliable than email-based reporting (which can become outdated or go to unverified recipients).
Related OSS-Fuzz issue: google/oss-fuzz#14230
Proposed Enhancement
Add support for a new
file_github_security_advisoryconfiguration option in OSS-Fuzzproject.yamlfiles that would automatically create private GitHub Security Advisories instead of (or in addition to) public issues.Configuration Example