When GitHub Dependabot identifies a vulnerable dependency in a repository where alerts are enabled, it initiates a standard, automated workflow. First, it generates a Dependabot alert, which is a formal record of the vulnerability. This alert is then made visible within the repository's "Security" tab, providing a centralized location for maintainers to review and manage security issues. Concurrently, assuming default notification settings are in place, GitHub automatically sends notifications to users with admin permissions for the repository, ensuring that those responsible for security are promptly informed and can take action.

C. This option describes the default enablement state for repositories, not the action taken when a vulnerability is found. Also, alerts are not enabled by default for all private repositories; this requires enabling GitHub Advanced Security.

D. The process is automated against the GitHub Advisory Database. There is no real-time consultation or a new, thorough review conducted for each individual alert generated.

1. GitHub Docs, "About Dependabot alerts." This document states, "When your code depends on a package that has a security vulnerability, we'll generate a Dependabot alert and you can see it on the Security tab of the repository." This directly supports option A.

2. GitHub Docs, "Configuring notifications for Dependabot alerts." Under the section "About notifications for Dependabot alerts," the documentation specifies, "By default, we notify people with admin permissions in the affected repositories..." This directly supports option B.

3. GitHub Docs, "About the GitHub Advisory Database." This page explains that Dependabot uses the GitHub Advisory Database as its source for vulnerabilities, which refutes the idea of a real-time consultation as suggested in option D.

4. GitHub Docs, "Quickstart for Dependabot alerts." This guide confirms that for private repositories, you must "enable the dependency graph and Dependabot alerts for your repository," which contradicts the claim in option C that it is on by default for all private repositories.