Characterizing and Modeling the GitHub Security Advisories Review Pipeline
Provides first large-scale empirical characterization of GitHub's advisory review pipeline, benefiting developers and security tool maintainers who rely on GHSA for vulnerability disclosure.
Analyzed over 288,000 GitHub Security Advisories (2019-2025) to characterize review likelihood, delays, and identify two latency regimes (fast path for GRAs, slow path for NVD-first advisories). Developed a queueing model explaining this dichotomy.
GitHub Security Advisories (GHSA) have become a central component of open-source vulnerability disclosure and are widely used by developers and security tools. A distinctive feature of GHSA is that only a fraction of advisories are reviewed by GitHub, while the mechanisms associated with this review process remain poorly understood. In this paper, we conduct a large-scale empirical study of the GHSA review processes, analyzing over 288,000 advisories spanning 2019-2025. We characterize which advisories are more likely to be reviewed, quantify review delays, and identify two distinct review-latency regimes: a fast path dominated by GitHub Repository Advisories (GRAs) and a slow path dominated by NVD-first advisories. We further develop a queueing model that accounts for this dichotomy based on the structure of the advisory processing pipeline.