For most software developers, importing code from third-party libraries is an easy way to add new functionalities to a program without building those features from scratch. But relying on open-source libraries can be risky, as hackers often target security vulnerabilities within them.

Given all this, it’s important for users of any library to be able to report potential security issues to the project’s owners, so such problems can be fixed before they’re exploited. But until recently, many projects on the online repository GitHub lacked a clear way for users to submit security reports.

“I think reporting is the first step needed,” says University of Waterloo assistant professor Meiyappan Nagappan. But, adds University of Michigan professor Atul Prakash, “if the reporting process isn’t simple and straightforward, that can discourage or delay security reporting. And that can have consequences.”

While working on another project in 2018, Nagappan and his team found it difficult to report a vulnerable version of Apache Struts, the open-source library hackers exploited to breach Equifax in 2017. They tried informing other GitHub projects with the same dependency through a combination of emailing project owners, opening issues, and submitting pull requests.