And though the national vulnerability database is good, it isn’t good enough for us though as we strive to do better. currently, maintainers publicize outside of the NVD to things like mailing lists, their changelogs, open source groups, etc. That’s where security advisories come in to play. they’re for private discussions on the repo With security advisories, only the organization owners and owners of the repository can see it. you can add single people if you need additional collaborators. And when you’re ready to work on a fix, you can create a private fork of that change, work on it just like a regular repository, and have a private pull request for just working on that feature. I cannot mention strongly enough how great i think this is for working on open source work. These advisories can also funnel into our own data to help us notify more people who use this content