This study addresses the opacity and partial official vetting of GitHub Security Advisories (GHSA), which undermines the efficiency and credibility of vulnerability disclosure. Through a large-scale empirical analysis of over 288,000 GHSA entries from 2019 to 2025, this work uncovers a previously undocumented dual-track review mechanism—comprising a “GRA fast track” and an “NVD-priority slow track”—and develops a queueing-theoretic model aligned with actual processing workflows. The research quantifies review delays, identifies key factors influencing both the likelihood of advisory review and response times, and effectively characterizes the dynamics of GHSA vetting. These findings provide a theoretical foundation and practical guidance for optimizing coordinated vulnerability disclosure mechanisms.

GitHub Security Advisories (GHSA) have become a central component of open-source vulnerability disclosure and are widely used by developers and security tools. A distinctive feature of GHSA is that only a fraction of advisories are reviewed by GitHub, while the mechanisms associated with this review process remain poorly understood. In this paper, we conduct a large-scale empirical study of GHSA review processes, analyzing over 288,000 advisories spanning 2019--2025. We characterize which advisories are more likely to be reviewed, quantify review delays, and identify two distinct review-latency regimes: a fast path dominated by GitHub Repository Advisories (GRAs) and a slow path dominated by NVD-first advisories. We further develop a queueing model that accounts for this dichotomy based on the structure of the advisory processing pipeline.