Private channel for reporting a security issue

[Wang-Haimin]

Hello maintainers,

I found a potential security issue affecting a GitHub Actions workflow in this repository.

I do not want to disclose technical details publicly before maintainers have reviewed them. Could you please enable GitHub private vulnerability reporting or provide an alternative private security contact email?

I can provide a detailed report including the affected workflow path, current commit, impact assessment, non-destructive validation steps, and suggested remediation.

[pchiusano]

Hi @Wang-Haimin thanks for this. I've enabled GitHub private vulnerability reporting, looking forward to your report.

[Wang-Haimin]

Thanks a lot! I've successfully submitted the report.

[pchiusano]

Do you know where it's expected to show up? Or can you provide a link that only owners can view?

I'm having trouble locating..

[Wang-Haimin]

Hi @pchiusano,

Thanks for checking.

The report should appear under the repository’s private security advisories / privately reported vulnerabilities.

GitHub’s documented path for maintainers is:

Security and quality → Reporting → Advisories

The advisory should be in “Triage” status.

I can see it here:

https://github.com/unisonweb/unison/security/advisories/GHSA-7p5f-7r69-cq69

This link should only be accessible to repository owners/maintainers who have permission to view private security advisories. If you still cannot access it, it may require an owner or security manager in the unisonweb organization to open it or adjust advisory access.

I will keep all technical details inside the private advisory.