GitHub senior product manager Kate Catlin explained that the company has teams of security researchers that review all changes and help keep security advisories up to date. But with the amount of new vulnerabilities and different attack vectors emerging each day, the company believes members of its community may be able to share additional insights and intelligence on CVEs. “GitHub is publishing the full contents of the Advisory Database to make it easier for the community to benefit from this data. We’ve also built a user interface for making contributions… The data is licensed under a Creative Commons license, and has been since the database’s inception, making it forever free and usable by the community,” Catlin said. “The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world. It is maintained by a dedicated team of full-time curators and powers the security audit experience for npm and NuGet, as well as GitHub’s own Dependabot alerts. By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software.” GitHub has built a “suggest improvements for this vulnerability” workflow into security advisories in the database. This allows researchers from GitHub Security Lab and the maintainer of the project who filed the CVE to review your request. The form allows you to suggest changes or to provide more context on packages, affected versions, impacted ecosystems, and more. Catlin added that the advisories in the GitHub Advisory Database repository will use the Open Source Vulnerabilities (OSV) format. Oliver Chang, software engineer for Google’s Open Source Security Team, said in order for vulnerability management in open source to scale, security advisories “need to be broadly accessible and easily contributed to by all.” “OSV provides that capability,” Chang said. GitHub repeatedly pushed its users to enable two-factor authentication last year and, in August, announced that it would stop accepting account passwords when authenticating Git operations. The platform began requiring people to use stronger authentication factors like personal access tokens, SSH keys, and OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com. In January GitHub announced that two-factor authentication will be available to all users through GitHub Mobile.