This is the kind of quiet, infrastructure-level story that should be raising alarms across every security team relying on GitHub's built-in tooling — but it's sitting at one point with zero comments. The linked thread is a GitHub Community discussion (#51573) reporting that Dependabot and code scanning security alerts are silently failing to deliver notifications. Not malformed. Not delayed. Just… not arriving.

If you're a maintainer or a security engineer, the implications are uncomfortable. The entire premise of GitHub's security suite — Dependabot alerts, secret scanning, CodeQL findings — rests on the assumption that when something bad is detected, the right humans get pinged. Email, web notifications, mobile push: if those channels are dropping messages without any visible error, then your CVE response window isn't what your dashboard says it is. You might be sitting on a critical vulnerability with the alert technically generated but never seen.

What makes this worth a closer look:

• Silent failures are the worst failures. A bounced email is recoverable. An alert that the sender believes was delivered, but the recipient never received, creates false confidence — arguably worse than no alerting at all.
• Compliance frameworks lean on this. SOC 2, ISO 27001, and most internal vulnerability management policies assume timely notification of CVEs. If GitHub's pipeline is lossy, attestations that reference it are built on sand.
• It's hard to detect without out-of-band verification. Unless you regularly cross-reference the Security tab against your inbox, you wouldn't know alerts are missing. Most teams don't.

The thread itself is community-driven, which means it's the canonical place where affected users compare notes, post repro steps, and (eventually) extract a response from GitHub staff. Even if you're not currently affected, the discussion is worth scanning to understand the failure mode — whether it's tied to org-level notification settings, specific alert types, or a broader delivery pipeline regression.

The broader lesson, beyond GitHub specifically: any security control whose effectiveness depends on a notification channel needs an independent heartbeat. A weekly synthetic alert that you confirm receipt of. A scheduled job that diffs the Security tab against what your team has actually triaged. Otherwise you're trusting the pipe, and pipes leak quietly.