GitHub has announced that it is now a Common Vulnerabilities and Exposures (CVE) Numbering Authority. CVE Numbering Authorities are authorized to assign CVE IDs to vulnerabilities that affect products within their geographic area, within a specific scope, for inclusion in initial public announcements of new vulnerabilities. CVE IDs are used by researchers and IT vendors to better uncover, correct, and defend against vulnerabilities.
"We believe that fast, unfettered movement of vulnerability data is critical to improving software security," Shanku Niyogi, GitHub SVP of Product, commented in a blog post announcement. "This is why we're excited to share that GitHub has been approved as a CVE Numbering Authority for open source projects."
With GitHub now being a CVE Numbering Authority, GitHub can better serve its developer community in reporting vulnerabilities. Instead of going through a manual, and relayed process, developers and contributors will be able to report vulnerabilities from GitHub repositories. Once reported, GitHub can directly assign a CVE ID which is uploaded to the National Vulnerability Database (NVD).
GitHub's announcement is another step in its broader goal to "secure the world's code." GitHub plans to issue CVE IDs for security advisories opened in GitHub. Check out the blog post announcement to learn more about GitHub's plans.