AI & TechBigTech CompaniesCybersecurityNewswireTechnology

GitHub can’t keep up with the flood of vulnerability reports

▼ Summary

– The GitHub Advisory Database is overwhelmed by record numbers of flaw reports, causing publication delays of up to several weeks.
– In May 2026, the database published 1,560 advisories, its highest monthly output, yet still fell short of incoming reports.
– Private vulnerability reports surged from a few hundred weekly in January to over 3,000 weekly by May; repository advisories exceeded 5,000 weekly.
– Despite delays, the database maintains quality with accurate advisories and a consistent 91–94% CVE assignment rate.
– GitHub is responding with AI tools, expanded capacity, and planned ranking of reports by exploitation signals to speed curation.

Across the open source ecosystem, vulnerability reporting has surged to unprecedented levels, and the infrastructure built to validate those reports is starting to show cracks. The GitHub Advisory Database, the engine behind automated security alerts for millions of projects, now faces delays where some new advisories take weeks to go live.

In May 2026, the database published 1,560 reviewed advisories,its highest monthly total ever, and several times the usual volume. Yet even that record output couldn’t keep pace with incoming submissions.

Record-breaking input across every channel

Growth is evident across all sources feeding the database. Private vulnerability reports jumped from a few hundred per week in January to more than 3,000 per week throughout most of May.

Repository advisories followed suit, peaking at over 5,000 per week. As a CVE Numbering Authority, GitHub fielded nearly 4,000 CVE requests in May alone,many times the count from the same month a year earlier.

This trend extends beyond one company. The global CVE program has already published more than 30,000 entries in 2026.

Private vulnerability reporting now spans a massive base of projects,over 1.7 million repositories. To sustain this flow, GitHub maintained more than 6,000 advisory decisions per month from March through May, covering new advisories, updates, and inbound reviews.

Where the delays come from

Since mid-April, publication timelines have lengthened. Review times stretched from roughly a week to several weeks for a significant portion of reports. Longer waits widen the window during which a known vulnerability remains unpatched. Madison Ficorilli, the senior security manager leading the curation team, sees timeliness as essential to the database’s value.

“Not every security advisory requires the same level of effort. Some arrive well formatted: the advisory details clearly name the affected package and its relevant ecosystem, the version range is documented, and the fix is tagged. A curator can validate and publish these in under a few minutes. But a growing share of incoming advisories require more investigation,” Ficorilli explained.

An increasing number of submissions demand real detective work: identifying which registry a package belongs to, reconstructing version ranges from commit history, or resolving conflicts where a CVE record, a maintainer’s note, and the code disagree on what is affected.

What remains solid

Quality has held steady throughout the surge. Published advisories remain accurate, data pipelines continue running, and anything marked as reviewed meets the same standard set before the spike. The CVE assignment rate stayed between 91 and 94 percent throughout, consistent with historical norms.

The bottleneck is throughput. GitHub stated that publishing faster by skipping verification “would increase false positives at scale,” a trade-off it carefully weighs against the cost of delay.

How GitHub is responding

The curation team has deployed AI tools to accelerate the research phase, though curators still make every final decision. Engineers have expanded backend capacity, improved triage so strong submissions move ahead sooner, and broadened automation that pulls data from upstream CVE records. Planned work focuses on reducing time spent on routine cases and ranking incoming reports by signals like active exploitation and package popularity.

What researchers can do

“If you want to help, focus on three things: submit complete vulnerability data, coordinate closely with maintainers and researchers, and request CVEs only when there is a clear intention to publish,” Ficorilli said.

Close coordination among maintainers and researchers keeps package names, version ranges, and fixes aligned across sources. Reserving CVE requests for cases headed toward real disclosure ensures curator attention stays on advisories moving toward release.

Two years ago, the database handled roughly 270 advisories per month. The climb since then mirrors a broader shift toward open vulnerability disclosure, and GitHub plans to keep scaling its review pipeline to match.

(Source: Help Net Security)

Topics

vulnerability reporting surge 95% github advisory backlog 92% cve volume growth 90% private reporting increase 88% review time delays 87% curator workload 85% quality vs. speed 84% ai in triage 82% backend scaling 80% researcher best practices 79%