With the rise of LLM usage, the number of vulnerabilities being found in Open Source Software libraries is climbing – perhaps more than you might think. Finding vulnerabilities is getting easier, but reporting them to maintainers can be a bottleneck. One way to help streamline the process is by enabling “Private vulnerability reporting” on your GitHub repositories. This gives reporters a private, official channel to reach out to you with details about exploits (both confirmed and unconfirmed).
"Crayons" by echilds41 is licensed under CC BY 2.0 
.
You might think “just email me – I’m not hard to find”, but you’d be surprised how often nailing down the right email and the right contact person is a source of friction. If you’re able to toggle this switch, you are opening up a pathway for reporters to let you know about a possible CVE so that they can either help you remedy the situation or move on to the next CVE on their list.
If you have GitHub’s “gh” tool installed, this is trivial to do:
#!/usr/bin/env bash
set -eu -o pipefail
# Enable "Private vulnerability reporting" for all repos you have admin access to.
# Optionally pass an org name to target that org's repos instead of your own.
#
# Filters applied to `gh repo list`:
# --no-archived skip archived repos (can't change settings on them)
# --visibility public skip private and internal repos
# --source skip forks (PVR is configured on the upstream)
# --limit 1000 cap result set; raise if you have more repos
owner=${1:-}
gh repo list ${owner:+"$owner"} --limit 1000 --no-archived --visibility public --source --json nameWithOwner --jq '.[].nameWithOwner' | \
while IFS= read -r repo; do
echo "Enabling private vulnerability reporting: $repo"
gh api "repos/$repo/private-vulnerability-reporting" -X PUT --silent \
|| echo " failed: $repo"
done
echo "Done."Run it with no arguments to target your own repos, or pass an org name to target an org you administer:
./enable-pvr.sh # your repos
./enable-pvr.sh some-org # repos in some-orgThanks for helping to make the OSS landscape a better place, but be warned: this could take up to three minutes of your time!