GitHub Security Advisories (GHSA) have become a central component of open-source vulnerability disclosure and are widely used by developers and security tools. A distinctive feature of GHSA is that only a fraction of advisories are reviewed by GitHub, while the mechanisms associated with this review process remain poorly understood. In this paper, we conduct a large-scale empirical study of GHSA review processes, analyzing over 288,000 advisories spanning 2019--2025. We characterize which advisories are more likely to be reviewed, quantify review delays, and identify two distinct review-latency regimes: a fast path dominated by GitHub Repository Advisories (GRAs) and a slow path dominated by NVD-first advisories. We further develop a queueing model that accounts for this dichotomy based on the structure of the advisory processing pipeline.
翻译:GitHub安全公告已成为开源漏洞披露的核心组成部分,并被开发人员和安全工具广泛使用。GHSA的一个显著特征是仅有部分公告经过GitHub审查,而与此审查流程相关的机制仍鲜为人知。本文对GHSA审查流程进行了大规模实证研究,分析了2019年至2025年间超过28.8万份安全公告。我们刻画了哪些公告更可能被审查,量化了审查延迟,并识别出两种不同的审查延迟机制:以GitHub仓库公告为主导的快速通道,以及以NVD优先公告为主导的慢速通道。基于公告处理流程的结构特征,我们进一步建立了能够解释这种二分法的排队模型。