Characterizing and Modeling the GitHub Security Advisories Review Pipeline

TL;DR

This paper provides a large-scale empirical analysis of GitHub Security Advisories review processes, revealing review patterns, delays, and modeling the review pipeline with a queueing approach.

Contribution

It characterizes review likelihood and delays for advisories, and introduces a queueing model capturing the review process dynamics.

Findings

Identified two review-latency regimes: fast (GRAs) and slow (NVD-first advisories).

Quantified review delays across over 288,000 advisories from 2019-2025.

Analyzed factors influencing advisory review likelihood and timing.

Abstract

GitHub Security Advisories (GHSA) have become a central component of open-source vulnerability disclosure and are widely used by developers and security tools. A distinctive feature of GHSA is that only a fraction of advisories are reviewed by GitHub, while the mechanisms associated with this review process remain poorly understood. In this paper, we conduct a large-scale empirical study of the GHSA review processes, analyzing over 288,000 advisories spanning 2019-2025. We characterize which advisories are more likely to be reviewed, quantify review delays, and identify two distinct review-latency regimes: a fast path dominated by GitHub Repository Advisories (GRAs) and a slow path dominated by NVD-first advisories. We further develop a queueing model that accounts for this dichotomy based on the structure of the advisory processing pipeline.