Characterizing and Modeling the GitHub Security Advisories Review Pipeline
Abstract
GitHub Security Advisories (GHSA) have become a central component of open-source vulnerability disclosure and are widely used by developers and security tools. A distinctive feature of GHSA is that only a fraction of advisories are reviewed by GitHub, while the mechanisms associated with this review process remain poorly understood. In this paper, we conduct a large-scale empirical study of the GHSA review processes, analyzing over 288,000 advisories spanning 2019-2025. We characterize which advisories are more likely to be reviewed, quantify review delays, and identify two distinct review-latency regimes: a fast path dominated by GitHub Repository Advisories (GRAs) and a slow path dominated by NVD-first advisories. We further develop a queueing model that accounts for this dichotomy based on the structure of the advisory processing pipeline.
Cite
@article{arxiv.2602.06009,
title = {Characterizing and Modeling the GitHub Security Advisories Review Pipeline},
author = {Claudio Segal and Paulo Segal and Carlos Eduardo Banjar and Felipe de Sant'Anna Paixão and Hudson Silva Borges and Paulo Silveira and Eduardo Santana de Almeida and Joanna C. S. Santos and Anton Kocheturov and Gaurav Kumar Srivastava and Daniel Sadoc Menasché},
journal= {arXiv preprint arXiv:2602.06009},
year = {2026}
}
Comments
Paper accepted at 23rd International Mining Software Repositories Conference (MSR 2026)