GitHub bug bounties: Smaller, more focused is better

GitHub offers rewards to researchers who find vulnerabilities in its products, limiting the program's focus to ensure its effectiveness

With Microsoft, Google, and Facebook now all offering bug bounty programs to reward the responsible disclosure of vulnerabilities in their software, it's no surprise other big names in tech are starting to offer bug rewards as well. One of the newest bounty providers: GitHub.

The collaborative code-sharing site's bug bounty program rewards users who can identify a vulnerability in one of a number of selected GitHub products with payouts from $100 up to $5,000, paid via PayPal. The more severe the problem and the larger the possible impact on GitHub's audience, the bigger the reward.

GitHub's keeping deliberately small the list of products and the variety of the exploits it offers bounties for. Right now, only bugs in the GitHub API, GitHub Gist (GitHub's code-snippet sharing service, akin to Pastebin), and the website are eligible for bounties. That said, if someone discovers a vulnerability in another GitHub property and it turns out to be a doozy, GitHub may compensate a bug hunter at its discretion.

The rules for the program are straightforward and prohibit the use of automated penetration testing tools, social engineering attacks, or the exploitation of any found vulnerabilities to access another user's accounts or data. A slew of folks have already turned up and disclosed issues to GitHub, although no new bounty-worthy bugs have been discovered in recent months.

Depending on who you talk to, that lack is either evidence that bug bounty programs work -- or evidence they might only draw attention from other, more urgent problems.

Independent studies claim bug bounties are as effective as hiring full-time employees to do the same work -- in some cases, even better. Some of the discoveries and payouts have been impressive, such as the $33,500 reward paid out by Facebook when a Brazilian computer engineer found a major exploit in that social network's OpenID code.

But InfoWorld's Roger Grimes has dissented, claiming that bug bounty programs might only give further incentive to criminals to find bugs and never disclose them to vendors.

"The biggest problem with bug bounty programs is that you never know which security bugs will 'go big,'" Grimes writes. "Very few security bugs, no matter how severe, end up exploiting millions and millions of customers." To his mind, "the ultimate measure of [a bug bounty program's] success is whether that vendor's customers are actually attacked successfully less often over time. Realistically, this is almost impossible to isolate for."

The fact that the scope of GitHub's bounty program remains modest may be a point in its favor, since it encourages both the bug finders and GitHub to be that much more conscious of what bug bounties can and can't address properly. Bug bounties are only one weapon in the arsenal against exploits, and by keeping both focus and rewards comparatively modest, GitHub stands a better chance of not letting its bounty program dilute itself.

This story, "GitHub bug bounties: Smaller, more focused is better," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform