Add support for filing GitHub Security Advisories via file_github_security_advisory #5015
Description
Background
OSS-Fuzz currently supports filing public GitHub issues when bugs are found via the file_github_issue configuration option in project.yaml files. However, many projects need a way to report security vulnerabilities privately before public disclosure, following responsible disclosure practices.
GitHub Security Advisories provide a secure, authenticated channel for privately reporting vulnerabilities, which is more reliable than email-based reporting (which can become outdated or go to unverified recipients).
Related OSS-Fuzz issue: google/oss-fuzz#14230
Proposed Enhancement
Add support for a new file_github_security_advisory configuration option in OSS-Fuzz project.yaml files that would automatically create private GitHub Security Advisories instead of (or in addition to) public issues.
Configuration Example
homepage: "https://github.com/example/project"
language: c++
primary_contact: "[email protected]"
main_repo: "https://github.com/example/project"
file_github_security_advisory: true # New option