GitHub doubles bug bounty for security researchers

Hackers and researchers can earn $5,000 to $10,000 for uncovering security vulnerabilities in GitHub apps

GitHub is doubling the maximum payout for its Security Bug Bounty program, with hackers and security researchers now able to earn $5,000 to $10,000 for reporting unknown security vulnerabilities in GitHub applications.

The increased payouts kick off the program’s second year, said GitHub Application Security Engineer Ben Toews, in a blog post. “If you've found a vulnerability that you'd like to submit to the GitHub security team for review, send us the details, including the steps required to reproduce the bug,” Toews said. “You can also follow @GitHubSecurity for ongoing updates about the program.”

Thanks to researchers worldwide, 57 previously unknown security vulnerabilities in GitHub applications have been found and fixed, Toews said: “Of 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications.”

Vulnerabilities found have been creative, he said. “Our top submitter,  @adob, reported a persistent DOM based cross-site scripting vulnerability, relying on a previously unknown Chrome browser bug that allowed our Content Security Policy to be bypassed.” The second-most-prolific submitter, @joernchen, reported a complex vulnerability in the communication between two back-end GitHub services that could allow an attacker to set arbitrary environment variables.

Programs by Google, Facebook, Mozilla, and others have helped build a strong bug-hunting community, GitHub says: “Our bounty program gives a tip of the hat to these researchers and provides some cold hard cash for their efforts.” The Google Vulnerability Reward Program offers rewards ranging from $100 to $20,000. Facebook offers a minimum reward of $500, while the Mozilla Security Bug Bounty Program pays $3,000 and a T-shirt for “valid critical client security bugs.”

GitHub even posts a leader board for its top 10 bounty hunters, with advice such as not publicly disclosing a bug until it has been fixed and only testing for vulnerabilities on GitHub-operated sites and listed under GitHub’s open bounties.

Rewards are determined by factors such as the complexity of successfully exploiting a vulnerability, the potential exposure and the percentage of impacted users and systems. Bounties are paid via PayPal; rewards can be donated to charity. International researchers, provided they are not from a country facing U.S. export sanctions or trade restrictions, are eligible, as are researchers between the ages of 13 and 18.