github
A question about review priority
My name is Leonardo A. de Lima, and I am a computer science student at the Federal University of Rio de Janeiro. I am currently conducting research on open-source information security repositories and found yours particularly intriguing. I would like to inquire whether there is a prioritization process for reviewing artifacts, specifically regarding the progression from unreviewed to reviewed status. Thank you for your attention.
My name is Leonardo A. de Lima, and I am a computer science student at the Federal University of Rio de Janeiro. I am currently conducting research on open-source information security repositories and found yours particularly intriguing. I would like to inquire whether there is a prioritization process for reviewing artifacts, specifically regarding the progression from unreviewed to reviewed status. Thank you for your attention.
There isn’t an automatic or guaranteed progression from unreviewed to reviewed status for every advisory. The prioritization is largely internal, based on observable risk and coverage needs, and subject to GitHub’s curation resources.
Currently, advisories in the GitHub Advisory Database are published in two main categories: unreviewed (auto-imported, often directly from the National Vulnerability Database) and reviewed (curated by GitHub analysts or maintainers for completeness, accuracy, affected ecosystem, and severity). There is no public, formal prioritization process disclosed for how unreviewed advisories are selected to be reviewed, and the team does not guarantee that all unreviewed advisories will progress to reviewed status. Several factors—such as the advisory’s recency, severity, relevance to supported ecosystems, and completeness of information—can influence whether and when an advisory receives human review. High-impact or high-risk vulnerabilities (e.g., those affecting popular packages or critical software) tend to be prioritized, but the review rate is limited by available resources and the sheer volume of disclosures. Most unreviewed advisories remain as such because they either: lack enough detail for actionable curation, do not match a supported package ecosystem, or the risk is not substantial enough to warrant manual review.
