GitHub recently celebrated the fourth year of its Security Bug Bounty program and reported that 2017 had seen growth in participation by researchers, program initiatives, and the rewards paid out.

As we reported last October, GitHub's minimum payout is now $555 and this seems to paid off in terms of attracting security researchers to the program.

On the GitHub blog, Greg Ose reports that in 2017 there were 840 submissions to the program. Of these submissions, Github resolved and rewarded a total of 121 reports with an average payout of $1,376 plus swag, This compares to 795 reports in 2016 of which 48 were resolved so the rate of valid reports increased from 6% to almost 15% year on year. 

The total payout from the program had reached $95,300 by the end of 2016 and increased to $166,495 in 2017. It now stands at $219,025 with the top bounty payout in the range $3000 to $12,000 - well below the new maximum of $20,000 introduced in October.

To give security researchers more targets to investigate GitHub Enterprise was included in the scope of the Bug Bounty program. In addition when GitHub for Business was launched in March 2017, GitHub rolled out private bug bounties.

According to Ose:.

Through a private program on HackerOne, we reached out to all researchers who had previously participated in our program and allowed them access to this functionality before its public launch. This added to our internal pre-ship security assessments with review by external researchers and helped us identify and remediate issues before general exposure. With the extra review, we were able to limit the impact of vulnerabilities in production while also providing fresh code and functionality for researchers to look into.

Another initiative trialled in 2017 was providing researcher grants, a move inspired by Google which launched Vulnerability Research Grants in 2015. Ose explains:

The basic premise is that we pay a fixed amount to a researcher to dig into a specific feature or area of the application. In addition to the fixed payment for the grant, any vulnerabilities identified would also be paid out through the Bug Bounty program. During the beginning of the year, we identified a researcher with specialty in assessing troublesome enterprise authentication methods. We reached out and launched our first researcher grant. We couldn’t have been happier with the results. It provided a depth of expertise and review that was well worth the extra monetary incentive.

Looking ahead, during 2018 GitHub is planning to launch more private bounties and research grants to gain focus on specific features and says that later in the year it will announce additional promotions to continue to keep researchers interested and excited to participate. 

More Information

Four years of the GitHub Security Bug Bounty

GitHub Security Bug Bounty on HackerOne

Related Articles

Bug Bounty Bonanza

Intel Extends Bug Bounty Program

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info