clusterfuzz icon indicating copy to clipboard operation
clusterfuzz copied to clipboard
verified publisher icon google

Add support for filing GitHub Security Advisories via `file_github_security_advisory`

Open pellared opened this issue 1 month ago • 0 comments

Background

OSS-Fuzz currently supports filing public GitHub issues when bugs are found via the file_github_issue configuration option in project.yaml files. However, many projects need a way to report security vulnerabilities privately before public disclosure, following responsible disclosure practices.

GitHub Security Advisories provide a secure, authenticated channel for privately reporting vulnerabilities, which is more reliable than email-based reporting (which can become outdated or go to unverified recipients).

Related OSS-Fuzz issue: https://github.com/google/oss-fuzz/issues/14230

Proposed Enhancement

Add support for a new file_github_security_advisory configuration option in OSS-Fuzz project.yaml files that would automatically create private GitHub Security Advisories instead of (or in addition to) public issues.

Configuration Example

homepage: "https://github.com/example/project"
language: c++
primary_contact: "[email protected]"
main_repo: "https://github.com/example/project"
file_github_security_advisory: true  # New option

pellared avatar Nov 05 '25 08:11 pellared