Skip to content

Instantly share code, notes, and snippets.

@bagder

bagder/GSA-wishlist.md

Last active February 7, 2026 22:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bagder/ed3268e8745452a53a999d23b7fa1273 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bagder/ed3268e8745452a53a999d23b7fa1273 to your computer and use it in GitHub Desktop.
Download ZIP
GitHub Security Advisory wishlist from the curl project
Raw
GSA-wishlist.md

GitHub Security Advisory wishlist from the curl project

  1. GitHub sends the whole report over email/notification with no way to disable this. SMTP and email is known for being insecure and cannot assure end to end protection. This risks leaking secrets early to the entire email chain.

  2. can't properly disclose invalid ones (and make them clearly marked as such)

  3. Per-repo default collaborators on GitHub Security Advisories is annoying as we now have to manually add the security team for each advisory or have a rather quirky workflow scripting it. https://github.com/orgs/community/discussions/63041

  4. we can't edit the CVE number field! We are a CNA, we mint our own CVE records so this is frustrating. This adds confusion.

  5. We want to (optionally) get rid of the CVSS score + calculator in the form as we actively discourage using those in curl CVE records

  6. no CI jobs in private forks is going to make us effectively not use such forks, but is not a big obstable for us because of our vulnerability working process. https://github.com/orgs/community/discussions/35165

  7. no "quote" in the discussions?

  8. we want to use GitHub's security advisories as the report to the project, not the final advisory (as we write that ourselves) which might get confusing, as even for the confirmed ones, the project advisories (hosted elsewhere) are the official ones, not the ones on GitHub

  9. No number of advisories count next to "security" up in the tabs, like for issues and "Pull requests", makes it harder to see progress/updates

  10. When looking at an individual advisory, there is no direct button/link to go back to the list of current advisories

  11. In an advisory, you can only "report content", there is no direct "block user" option like for issues

  12. There is no way to add private comments for the team-only, as when discussing abuse or details not intended for the reporter or other invited persons in the issue

  13. There is a lack of short (internal) identifier or name per issue, which makes it annoying and hard to refer to specific reports when discussing them in the security team. The existing identifiers are long and hard to differentiate from each other.

  14. You quite weirdly cannot get completion help for @[nick] in comments to address people that were added into the advisory thanks to them being in a team you added to the issue?

  15. There are no labels, like for issues and pull requests, which makes it impossible for us to for example mark the AI slop ones or other things, for statistics, metrics and future research

@hugovk
Copy link

hugovk commented Feb 6, 2026

  1. https://github.com/notifications shows "commented" as the reason for a GHSA notification, even though you've not interacted in any way with the advisory (other than to be added as a collaborator via a team membership).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment