GitHub Advisory Pipeline: Understanding Variations in Advisory Speed

Post Views: 1

GitHub Security Advisories Pipeline Study

A recent study analyzed the GitHub Security Advisories pipeline, which distributes vulnerability information for open-source projects and security tools. The research found that only a small fraction of advisories undergo GitHub’s formal review process. Between 2019 and 2025, 288,604 advisories were published, with only 23,563, or about 8%, completing the review process.

Importance of Reviewed Advisories

Although most advisories remain unreviewed, those that do complete the process play a crucial role in security workflows. They feed into dependency scanners, alerting systems, and automated remediation tools used by development teams.

Advisory Timelines

To understand advisory timelines, researchers combined GitHub advisory records with publication data from the National Vulnerability Database (NVD) and ecosystem-specific databases.

Paths into GitHub’s Review System

The analysis revealed that advisories tend to follow one of two paths into GitHub’s review system. Some advisories originate within GitHub, created by project maintainers directly within their repositories, often while a fix is being prepared. Others originate outside GitHub, typically in the NVD, and are imported later.

Review Time Comparison

The study found that advisories created within GitHub are reviewed significantly faster than those sourced from the NVD. After June 2022, 95% of GitHub-created advisories were reviewed within five days of publication, compared to 78% of NVD-sourced advisories. The median review time for GitHub-created advisories was under one day, while NVD-sourced advisories took longer, often stretching into weeks.

Timing of Patch Releases and Advisory Reviews

The timing of patch releases and advisory reviews is critical. The median time from patch release to review was two days for GitHub-created advisories, compared to 28 days for NVD-sourced advisories. During this interval, fixes are available, but automated warnings may lag behind, leaving defenders unaware of the need for an update.

GitHub’s Automation Effort

GitHub’s automation effort, which began in mid-2022, improved review timelines for advisories imported from the NVD. Median review times dropped to under one day, with most advisories reviewed within four days. However, review speed continued to differ based on entry path, with GitHub-created advisories consistently moving through review faster.

Differences in Reviewer Experience and Repository Characteristics

The study also found differences in reviewer experience and repository characteristics. GitHub-created advisories were often reviewed by contributors with limited prior review history, while NVD-sourced advisories were reviewed by more experienced contributors. Repositories linked to GitHub-created advisories were more likely to have an explicit security policy and were better prepared for coordinated vulnerability disclosure.

Improving the Advisory Review Process

The difference in review timing can be attributed to the structure of GitHub’s review pipeline. Advisories imported from the NVD pass through an additional waiting stage before review, while GitHub-created advisories enter the review queue directly. Changes in disclosure behavior, such as reducing the share of advisories arriving through the NVD, could measurably reduce review time.

Conclusion

The study’s findings highlight the importance of streamlining the advisory review process to ensure timely vulnerability disclosure and remediation. By understanding the factors that influence review speed, GitHub and the open-source community can work towards improving the overall efficiency of the advisory pipeline.