Characterizing and Modeling the GitHub Security Advisories Review Pipeline
Claudio Segal, Paulo Segal, Carlos Eduardo de Schuller Banjar, Felipe Paixão, Hudson Silva Borges, Paulo Silveira Neto, Eduardo Santana de Almeida, Joanna C. S. Santos, Anton Kocheturov, Gaurav Kumar Srivastava, Daniel Sadoc Menasché
TL;DR
The paper addresses how GHSA reviews unfold in open-source vulnerability disclosure, revealing a dual-path latency structure where GRAs accelerate reviews compared to NVD-first advisories. It combines large-scale empirical analysis with a simple queueing model to explain why GRAs are reviewed faster and how NVD automation influences timing post-2022. Key contributions include a detailed socio-technical characterization of GHSA actors, a comparative timing analysis (publication-to-review and patch-to-review), and a tractable model that supports what-if analyses for disclosure strategies. The findings have practical implications for vulnerability triage, automation tooling, and policy design, highlighting GHSA’s hub role and suggesting optimizations to shorten exposure windows across ecosystems.
Abstract
GitHub Security Advisories (GHSA) have become a central component of open-source vulnerability disclosure and are widely used by developers and security tools. A distinctive feature of GHSA is that only a fraction of advisories are reviewed by GitHub, while the mechanisms associated with this review process remain poorly understood. In this paper, we conduct a large-scale empirical study of GHSA review processes, analyzing over 288,000 advisories spanning 2019--2025. We characterize which advisories are more likely to be reviewed, quantify review delays, and identify two distinct review-latency regimes: a fast path dominated by GitHub Repository Advisories (GRAs) and a slow path dominated by NVD-first advisories. We further develop a queueing model that accounts for this dichotomy based on the structure of the advisory processing pipeline.