Confidential/Private Issues & Pull Requests

[flawnn]

Hello everyone!
I am just picking up a year-long suggestion which has been already a thing over at isaacs/github and wanted to emphasize the need of such a feature.
Mentioned already dozens of times, it would help with the privacy & occasional blunders people do when committing accidentally their e.g. credentials/private keys (particularly after the latest occasions of GitHub Dorking).
Especially with your latest efforts to work on the organization & management features on GitHub with "Projects", the ability for teams to still use GitHub for internal team management without needing to forgo features (as we currently need to open a public issue to work with deeper integration) and having to open another private repository/board on another service, would be a favor to many and probably also for yourself.

[legaleagleryan]

[ell1e]

That there is still no confidentiality/hidden toggle seems like a deal-breaker for security, or maybe I'm just missing something.

Like, I can't wrap my head around it how it's supposed to work. For small projects, how would devs even take security issues, like would they try to somehow prevent people from using the issue tracker (they will anyway) and use some security@ internal e-mail list that needs its own setup, own infrastructure, and maintenance? Would they then use a completely separate, internal bug tracker just for security issues to coordinate the dev work, and re-enter them in full into GitHub once ready to be disclosed? I don't understand it.

GitLab has had this for I think around 6 years now.

[xmo-odoo]

Mentioned already dozens of times, it would help with the privacy & occasional blunders people do when committing accidentally their e.g. credentials/private keys (particularly after the latest occasions of GitHub Dorking).

Would also help with security issues, although github has a security vulnerability reporting feature currently in beta even when enabled it's quite hidden and can be difficult for users to find, and furthermore doesn't help that much when the user does not know for sure that an issue is sensitive.

Also private discussion threads.

And per #60808 private (maintainer-only) comments inside of a public discussions would also be useful, if users trust the program maintainers with private information but not necessarily the public at large for instance, there are workarounds but they're distinctly inconvenient.