Github announced the discovery of more than 4 million vulnerabilities located in 500,000 plus repositories.
Shortly after the program was launched, Github said 450,000 of the identified flaws had been resolved by Dec. 1, 2017 and its rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent. “Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week,” the company said. “Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”
The company is seeing maintainers patching vulnerabilities in fewer than seven days for almost all repositories with recent contributions. Github emphasized that it never publicly discloses identified vulnerabilities for any repository and that it detects vulnerable dependencies in public repositories by default. Owners and admins of these repositories have the option to opt into vulnerability detection for the repository.