Security Vulnerability Report Template

Security Vulnerability Report Template

Security vulnerability reports require special handling. Many projects use GitHub's private vulnerability reporting feature, but having a template ensures consistent information collection.

Template Structure

name: "Security Vulnerability"
description: "Report a security vulnerability (use private reporting if available)"
title: "[Security]: "
labels: ["security", "priority:critical"]
body:
  - type: markdown
    attributes:
      value: |
        **Important**: If this repository supports GitHub's private vulnerability
        reporting, please use that feature instead of filing a public issue.
        Go to Security > Advisories > Report a vulnerability.
  - type: dropdown
    id: vulnerability_type
    attributes:
      label: "Vulnerability Type"
      options:
        - "Authentication Bypass"
        - "Authorization Flaw"
        - "Cross-Site Scripting (XSS)"
        - "SQL Injection"
        - "Remote Code Execution"
        - "Information Disclosure"
        - "Denial of Service"
        - "Dependency Vulnerability"
        - "Other"
    validations:
      required: true
  - type: dropdown
    id: severity
    attributes:
      label: "Estimated Severity (CVSS)"
      options:
        - "Critical (9.0-10.0)"
        - "High (7.0-8.9)"
        - "Medium (4.0-6.9)"
        - "Low (0.1-3.9)"
    validations:
      required: true
  - type: input
    id: affected_versions
    attributes:
      label: "Affected Versions"
      placeholder: ">= 2.0.0, < 2.5.3"
    validations:
      required: true
  - type: textarea
    id: description
    attributes:
      label: "Vulnerability Description"
      description: "Describe the vulnerability and its impact"
    validations:
      required: true
  - type: textarea
    id: reproduction
    attributes:
      label: "Steps to Reproduce / Proof of Concept"
      description: "Minimal steps to demonstrate the vulnerability"
    validations:
      required: true
  - type: textarea
    id: remediation
    attributes:
      label: "Suggested Remediation"
      description: "If you have ideas on how to fix this"
    validations:
      required: false

Private vs. Public Reporting

The markdown warning at the top is crucial. Public security issues can be exploited before they are fixed. Always recommend private vulnerability reporting when available.

CVSS Scoring

Including an estimated CVSS severity helps maintainers prioritize the response. The Common Vulnerability Scoring System provides a standardized way to communicate the severity of security issues.

Responsible Disclosure

Consider adding a checkbox asking reporters to confirm they will follow responsible disclosure practices and not publicize the vulnerability until a fix is available.