|GitHub Security Bug Bounty Milestones|
|Written by Alex Armstrong|
|Thursday, 02 April 2020|
GitHub recently passed $1,000,000 in total payments to researchers since moving its program to HackerOne in 2016. Over half its total awards were made in the last year alone, reaching almost $590,000 in total bounty rewards across its programs.
It is now over six years since GitHub initiated its Security Bug Bounty program which offers rewards of $30,000 or more for critical vulnerabilities. It saw a 40 percent increase in submissions last year and prides itself on its quick response time - maintaining an average response time of 17 hours.
In his recent blog post, Brian Anglin writes:
One of my favorite parts of working on the bug bounty program is getting to see the amazing submissions we get from the community. Many of the best submissions show an understanding of GitHub and our technology that rivals that of our own engineering teams. We’ve offered very competitive bounties so we can attract those talented individuals and provide them an incentive to spend time digging deep into our codebase. The community in 2019 did not disappoint.
He goes on to outline two specific exploits, an OAuth flow bypass using cross-site HEAD requests and a GitHub.com remote code execution through command injection together with GitHub's response to them.
As we reported when they occurred, GitHub made notable security related acquisitions in 2019,including Dependabot and Semmie. Referring to their impact on the bug bounty program the blog post explains:
GitHub has again expanded the scope of the Security Bug Bounty program to take account of its latest significant new features. GitHub for mobile which, as we reported is now available for Android and iOS was GirHub's first presence in the App Store/Google Play, introduced new security concerns as did GitHub Actions, one of GitHub’s biggest releases, which brought with it whole classes of new security corner cases.
The program has already paid out over $20,000 in bounties for vulnerabilities affecting the products in this expanded scope, and the scope of the program is set to continue to expand as GitHub grows.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 02 April 2020 )|