GitHub Bounty Program Increases Rewards
Written by Kay Ewbank   
Wednesday, 20 February 2019

GitHub's Security Bug Bounty Program is now five years old and has been updated again with better rewards and a wider remit. Now a Microsoft-owned company, GitHub has also added Legal Safe Harbor terms to its policy to offer researchers better legal protection.



GitHub's bounty program aims to find bugs in code hosted on the GitHub site, and last year GitHub paid out $165,000 to researchers who found security weaknesses. The company also used a mixture of researcher grants, private bug bounty programs, and a live-hacking event, paying out $250,000 overall to researchers. Some of the money went to researchers who identified security bugs in  GitHub's REST and GraphQL APIs.

GitHub also took part in HackerOne’s H1-702 live-hacking event in Las Vegas, where 75 of the top researchers from HackerOne focused on GitHub’s products for one evening of live-hacking. This saw nearly $75,000 paid out for 43 vulnerabilities, including one critical-severity vulnerability in GitHub Enterprise Server.

One of the main changes this year is the legal safe harbor support. This is intended to keep participants in the program safe from the risk that they might be sued. The program now includes a firm commitment that GitHub will not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants’ bounty program research activities. GitHub also says it will do its best to protect participants against legal risk from third parties who won’t commit to the same level of safe harbor protections.

The expanded scope makes more GitHub products and services eligible for reward for security vulnerabilities that are discovered. Newly included this year are  GitHub Education, GitHub Learning Lab, GitHub Jobs, the GitHub Desktop application and GitHub Enterprise Cloud. 




The potential rewards are also greater. GitHub says this is partly to match the reward amounts offered by other companies offering similar programs, and partially in recognition that higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers. The main new levels see critical bugs worth from $20,000, but with no upper limit for a maximum reward. A guideline upper amount of $30,000 is the general likely limit, but GitHub is reserving the right to reward significantly more for truly cutting-edge research.


More Information

GitHub Security Bug Bounty program

Related Articles

GitHub Bug Bounty Program Expanded In Scope and Reward  

Bug Bounty Bonanza

Intel Extends Bug Bounty Program

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Secure Code Warrior Announces Devlympics

Secure Code Warrior is to host its third annual Devlympics secure coding competition on October 17-18, 2023. Devlympics is a free tournament of coding challenges for developers of all levels of expert [ ... ]

Kotlin Re-Enters TIOBE Index Top 20

Kotlin, the open-source Java alternative from JetBrains, is back in the Top 20 of the TIOBE Index, displacing Julia which lost the 20th position after only one month and is now down at 25th place.

More News

Summer SALE Kindle 9.99 Paperback $10 off!!




or email your comment to:

Last Updated ( Friday, 03 April 2020 )