New Lock Feature for Security Advisories

Repository administrators now have the ability to lock draft repository security advisories and private vulnerability reports. This prevents collaborators from editing advisory content or metadata while still allowing participation through comments.

How It Works

When an advisory is locked, only repository administrators can make changes to the advisory details. Collaborators retain the ability to participate in discussions through comments, ensuring that triage conversations can continue without interruption.

Use Cases

This feature is particularly valuable for:

• Preserving integrity: Once a report has been reviewed and severity decisions made, locking prevents unintended changes to critical fields
• Controlled publication: Maintain record consistency during the final stages before publishing an advisory
• Audit trails: Ensure that the advisory snapshot represents the final decision before public disclosure

How to Use

To lock or unlock a draft advisory, navigate to the advisory and select Lock advisory from the advisory actions menu on the right side. Note that only repository administrators can perform this action.

For more information, consult GitHub's documentation on repository security advisories and managing privately reported security vulnerabilities.