In GitHub’s Advisory Pipeline, some Advisories Move Faster than Others

GitHub Security Advisories have become a cornerstone for open‑source vulnerability disclosure, feeding dependency scanners, alerting platforms, and automated remediation tools. The study’s dataset—nearly 300,000 advisories—highlights a stark bottleneck: a mere eight percent progress through GitHub’s formal review, yet those that do shape the security posture of countless projects. Understanding how advisories travel from discovery to review is essential for organizations that rely on timely alerts to protect their software supply chain.

The research identifies two distinct entry paths. Repository Advisories, authored by maintainers within GitHub, enter the review queue directly and typically achieve median review times under a day, even after patches are released. In contrast, NVD‑sourced advisories must pass an additional waiting stage, resulting in a median 28‑day lag post‑patch before review completion. GitHub’s 2022 automation push—importing historical NVD data and streamlining processing—cut the median NVD review time to under one day, yet the structural delay remains evident across percentiles. Reviewer experience also diverges, with seasoned contributors handling most NVD imports while many repository advisories are reviewed by first‑time contributors.

For enterprises, these timing disparities translate into measurable risk. Longer review windows allow attackers to weaponize publicly available patches while defenders remain unaware of the need to update. Reducing the proportion of NVD‑imported advisories—from 47% to 10%—could halve average review latency, tightening the defensive loop. Companies should prioritize integrating directly with GitHub Repository Advisories, encourage maintainers to publish advisories within the platform, and monitor reviewer expertise to ensure rapid, reliable vulnerability communication across the software ecosystem.