GitHub Bounty Program Increases Rewards
Written by Kay Ewbank   
Wednesday, 20 February 2019

GitHub's Security Bug Bounty Program is now five years old and has been updated again with better rewards and a wider remit. Now a Microsoft-owned company, GitHub has also added Legal Safe Harbor terms to its policy to offer researchers better legal protection.

 

githubdeklogo

GitHub's bounty program aims to find bugs in code hosted on the GitHub site, and last year GitHub paid out $165,000 to researchers who found security weaknesses. The company also used a mixture of researcher grants, private bug bounty programs, and a live-hacking event, paying out $250,000 overall to researchers. Some of the money went to researchers who identified security bugs in  GitHub's REST and GraphQL APIs.

GitHub also took part in HackerOne’s H1-702 live-hacking event in Las Vegas, where 75 of the top researchers from HackerOne focused on GitHub’s products for one evening of live-hacking. This saw nearly $75,000 paid out for 43 vulnerabilities, including one critical-severity vulnerability in GitHub Enterprise Server.

One of the main changes this year is the legal safe harbor support. This is intended to keep participants in the program safe from the risk that they might be sued. The program now includes a firm commitment that GitHub will not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants’ bounty program research activities. GitHub also says it will do its best to protect participants against legal risk from third parties who won’t commit to the same level of safe harbor protections.

The expanded scope makes more GitHub products and services eligible for reward for security vulnerabilities that are discovered. Newly included this year are  GitHub Education, GitHub Learning Lab, GitHub Jobs, the GitHub Desktop application and GitHub Enterprise Cloud. 

octocatdet

 

 

The potential rewards are also greater. GitHub says this is partly to match the reward amounts offered by other companies offering similar programs, and partially in recognition that higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers. The main new levels see critical bugs worth from $20,000, but with no upper limit for a maximum reward. A guideline upper amount of $30,000 is the general likely limit, but GitHub is reserving the right to reward significantly more for truly cutting-edge research.

 

More Information

GitHub Security Bug Bounty program

Related Articles

GitHub Bug Bounty Program Expanded In Scope and Reward  

Bug Bounty Bonanza

Intel Extends Bug Bounty Program

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, FacebookGoogle+ or Linkedin.

Banner


GraphQL Foundation Gets Bigger
15/03/2019

The GraphQL Foundation has announced a collaboration with the Joint Development Foundation, and new members including Neo4j have joined.



Google Smashes Pi Record For Pi Day
14/03/2019

To mark this year's Pi Day, Google has announced a new world record of 31.4 trillion digits for our favorite irrational mathematical constant, Pi. 


More News

Python

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 20 February 2019 )