[GHSA-p93r-85wp-75v3] Bouncy Castle Has Covert Timing Channel Vulnerability

[amita-seal]

Updates

• CVSS v4
• Severity

Comments
I don't actually think a change is needed. however, this GHSA shows as github reviewed on github website: GHSA-p93r-85wp-75v3
yet, it's in the "unreviewed" folder on github-advisory repo: https://github.com/github/advisory-database/blob/08dc98fd3dc8d10a5b8d9a87846d305c7db7ae56/advisories/unreviewed/2026/04/GHSA-p93r-85wp-75v3/GHSA-p93r-85wp-75v3.json

Does this mean it's reviewed or not?
Thanks!

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[shelbyc]

Hi @amita-seal, my colleagues and I reviewed GHSA-p93r-85wp-75v3 and the GitHub Reviewed tag on the advisory page is accurate. I'm not sure why it appears as unreviewed at https://github.com/github/advisory-database/blob/08dc98fd3dc8d10a5b8d9a87846d305c7db7ae56/advisories/unreviewed/2026/04/GHSA-p93r-85wp-75v3/GHSA-p93r-85wp-75v3.json. Maybe because advisories that originate from ingestion from NVD are automatically published in unreviewed, regardless of whether or not they're eventually reviewed?

[shelbyc]

Closing the PR because there isn't anything I can do with the advisory to make it change from the unreviewed folder to the reviewed folder