Researchers, academics, and enthusiasts can now contribute to and benefit from free, open-source security data on software supply chain vulnerabilities. Credit: TU-KA / Getty Images Software development platform GitHub has made its Advisory Database open to community contributions allowing anyone to contribute insight and intelligence on security vulnerabilities to help improve software supply chain security. The full contents of the database will also now be published to a new, freely accessible public repository under Creative Commons license. Experts say data sharing of this kind is key to improving the security of software supply chains and addressing software-related risks.Security community to benefit from free and open dataMillions of developers and companies use GitHub to build, ship and maintain software. By making its Advisory Database publicly open to community contributions, the firm said security researchers, academics and enthusiasts will be able to provide, share and benefit from additional information and context to further the community’s understanding and awareness of security advisories.“GitHub believes that free and open security data is critical to empowering the industry as a whole to best secure our software supply chains,” the company added. “The GitHub Advisory Database is the largest database of vulnerabilities in software dependencies in the world. By making it easier to contribute to and consume, we hope it will power even more experiences and will further help improve the security of all software.”GitHub has built a user interface for making contributions, which researchers from the GitHub Security Lab will review. Contributors can suggest changes or provide context on packages, affected versions, and impacted ecosystems, and will get public credit on their GitHub profile once their contribution is accepted. The Open-Source Vulnerabilities (OSV) format will be used for advisories in the repository, GitHub stated. “In order for vulnerability management in open source to scale, security advisories need to be broadly accessible and easily contributed to by all,” says Oliver Chang, software engineer for Google’s Open Source Security Team. “OSV provides that capability.”Data sharing integral to software supply chain securityGitHub’s move is a step forward in securing open-source projects and libraries, Yaniv Balmas, vice president of research at Salt Security, tells CSO. “The number of publicly reported software vulnerabilities is at an all-time high and keeps growing from year to year. Good and consistent information sharing might be one of the most effective ways to address this issue,” he says. Since GitHub holds the largest portion of open-source code, making the Advisory Database open to community contributions will give software vendors more visibility into the status of security issues in each version of software or shared library they are using, as well as help vulnerability hunters report and fix bugs, Balmas adds. “It will also help tackle the issue of software supply chain attacks, as it will give vendors a clearer view of each shared software component they use and the status of their security issues.”ESET global cybersecurity advisor, Jake Moore, agrees. “The software supply chain has taken a huge hit over the last few years with vulnerabilities being highlighted and shared in dark marketplaces before their victims have even had a chance to respond,” he says, adding that sharing newfound threat intelligence within trusted communities will enable those who may not be best protected to access the latest in updates and patch information. Related content feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe