If this is your first time using GitHub Security Advisories, please allow me to guide you through how they work.
As of September 17th, 2019, when advisories are published, the entire discussion within the advisory will not be made public. Any information you want to provide to the public should be included in the advisory body.
The UX for this is kinda bad on GitHub's behalf. In order to put the information in the advisory, you must use the form button.
I would recommend requesting a Common Vulnerabilities & Exposures (CVE) number from a CVE Numbering Authority (CNA) before publishing your advisory. A CVE number is a common number that is used to track/disclose a vulnerability publicly.
The following CNA's may be relevant to your vulnerability:
- Sonatype (for Java projects): https://www.sonatype.com/central-security-project
- Snyk (for lots of project types): https://snyk.io/vulnerability-disclosure/
- MITRE (catchall, anyone can report to): https://cveform.mitre.org/
Once a CVE number has been received, add it to the advisory, take one last proofreading pass, and click the 'Publish Advisory' button.
As of September 17th, 2019, this is currently only possible by reaching out to the GitHub support staff and asking them to update your advisory for you. In my opinion this won't scale and is a pretty bad user experience given that almost everything else on GitHub can be updated after you post it. The GitHub team has confirmed that they are aware of this issue, hopefully this won't be a limitation much longer.
So glad this is no longer needed. The UI has improved drastically.