Security advisory credit badge not displayed on profile?

[tomaarsen]

Select Topic Area

Question

Body

Hello!

According to the docs here, if a submitted security advisory is accepted, you'll get a Security advisory credit badge on your profile. In the past, I have submitted and been credited for GHSA-f8m6-h2c7-8h9x. If I hover over my name in the credits section of that advisory, it says: "1 security advisory credit".

However, despite having this advisory credit, the credit is not displayed on my profile. I do know that it is possible for users to get this info in their Highlights section with just one credit, as I have seen it on other profiles, e.g. https://github.com/robmcl4.

So, my first question is, how can I display my security advisory credit on my profile?

---

Additionally, I have a second question. In the past, other advisories have been made and published by other CVE Numbering Authorities (CNA), like GHSA-2ww3-fxvq-293j. This vulnerability was resolved by me, but I am not credited in the advisory. Is there something I can do about that?

Thanks all.

• Tom Aarsen

[LeoDog896]

I have the same issue with GHSA-mc52-jpm2-cqh6, but I didn't create the advisory, but was instead credited for finding and reporting it. However, just like OP, there isn't a badge on my profile either.

[Xitro01]

Same issue for me (GHSA-fffj-6fr6-3fgf) how did you eventually fix it?

[LeoDog896]

It seemed to have fixed itself.

[Xitro01]

Strange. I accepted it half a year ago and it still did not appear. So maybe GitHub staff fixed it for you guys?

[LeoDog896]

Most likely

[litetex]

+1

Having the same issue with GHSA-wxrm-jhpf-vp6v

[tesaguri]

I have the same issue with my vulnerability reports (GHSA-5prv-r7jg-vrf7, GHSA-xmw2-875x-rq88, GHSA-jhrq-qvrm-qr36, GHSA-qqrm-9grj-6v32, GHSA-2vxv-pv3m-3wvj and GHSA-f7g9-xhcq-5ww6).

So far, the common factor among advisories displayed on profile pages AFAICT is that they are labeled as GitHub Reviewed while the advisories affected by the issues are not. From the description in the linked documentation, it seems that only advisories for libraries in certain ecosystems are considered eligible for this category.

But that is weird given that the documentation of the badges doesn't mention anything about GitHub-reviewed advisories. If that were really the requirement for being displayed in the profile page, I think the documentation should be updated to mention that requirement at least.