GitHub maintainers can dramatically improve their project's security posture by enabling just six free settings. These aren't a silver bullet against all threats, but they effectively close common vulnerabilities, making projects a much tougher target. According to the GitHub Blog, these settings are designed to be easily implemented, often in under an hour.
The first critical step is adding a SECURITY.md file. This document clearly communicates to researchers how to report vulnerabilities, preventing accidental public disclosure or the need to hunt down maintainer contact information.
