GitHub Security Bug Bounty Milestones
Written by Alex Armstrong   
Thursday, 02 April 2020

GitHub recently passed $1,000,000 in total payments to researchers since moving its program to HackerOne in 2016.  Over half its total awards were made in the last year alone, reaching almost $590,000 in total bounty rewards across its programs.


It is now over six years since GitHub initiated its Security Bug Bounty program which offers rewards of $30,000 or more for critical vulnerabilities. It saw a 40 percent increase in submissions last year and prides itself on its quick response time - maintaining an average response time of 17 hours. 

In his recent blog post, Brian Anglin writes:

One of my favorite parts of working on the bug bounty program is getting to see the amazing submissions we get from the community. Many of the best submissions show an understanding of GitHub and our technology that rivals that of our own engineering teams. We’ve offered very competitive bounties so we can attract those talented individuals and provide them an incentive to spend time digging deep into our codebase. The community in 2019 did not disappoint.

He goes on to outline two specific exploits, an OAuth flow bypass using cross-site HEAD requests and a remote code execution through command injection together with GitHub's response to them.  

As we reported when they occurred, GitHub made notable security related acquisitions in 2019,including  Dependabot and Semmie. Referring to their impact on the bug bounty program the blog post explains:

  • Automated security updates (formerly Dependabot ) added a better way to track vulnerabilities in dependencies since it automatically opens new pull requests updating the version of a dependency when it finds a new security fix.
  • Semmle’s LGTM tool was a significant addition to our suite of security tools, like Dependabot and the Maintainer Security Advisories. LGTM allows our users to scan for potential security issues in their code on every pull request.

GitHub has again expanded the scope of the Security Bug Bounty program to take account of its latest significant new features.  GitHub for mobile which, as we reported is now available for Android and iOS was GirHub's first presence in the App Store/Google Play, introduced new security concerns as did GitHub Actions, one of GitHub’s biggest releases, which brought with it whole classes of new security corner cases. 

The program has already paid out over $20,000 in bounties for vulnerabilities affecting the products in this expanded scope, and the scope of the program is set to continue to expand as GitHub grows.


More Information

GitHub Security Bug Bounty program

Six years of the GitHub Security Bug Bounty program

Related Articles

GitHub Mobile App Available

Who Are The Hackers and Why 

Over $21 Million In Google Bug Bounty

GitHub Bounty Program Increases Rewards

GitHub Adds New Code Security Features

GitHub Buys Semmle, Becomes CVE Numbering Authority 

GitHub Bug Bounty Program Expanded In Scope and Reward  

Bug Bounty Bonanza

Intel Extends Bug Bounty Program

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


OpenSilver 2.2 Adds LightSwitch Compatibility Pack

OpenSilver 2.2 has been released with the addition of a LightSwitch Compatibility Pack designed to provide a way to run legacy Visual Studio LightSwitch applications on modern browsers. The open-sourc [ ... ]

Microsoft's Cybersecurity For Beginners

A free, self-paced course about Cybersecurity 101 is on offer by Microsoft's Cloud Security Advocates. It's a 30+ lesson curriculum targeted at complete novices.

More News

raspberry pi books



or email your comment to:

Last Updated ( Thursday, 02 April 2020 )