GitHub's Security Bug Bounty Program is now five years old and has been updated again with better rewards and a wider remit. Now a Microsoft-owned company, GitHub has also added Legal Safe Harbor terms to its policy to offer researchers better legal protection.

GitHub's bounty program aims to find bugs in code hosted on the GitHub site, and last year GitHub paid out $165,000 to researchers who found security weaknesses. The company also used a mixture of researcher grants, private bug bounty programs, and a live-hacking event, paying out $250,000 overall to researchers. Some of the money went to researchers who identified security bugs in  GitHub's REST and GraphQL APIs.

GitHub also took part in HackerOne’s H1-702 live-hacking event in Las Vegas, where 75 of the top researchers from HackerOne focused on GitHub’s products for one evening of live-hacking. This saw nearly $75,000 paid out for 43 vulnerabilities, including one critical-severity vulnerability in GitHub Enterprise Server.

One of the main changes this year is the legal safe harbor support. This is intended to keep participants in the program safe from the risk that they might be sued. The program now includes a firm commitment that GitHub will not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants’ bounty program research activities. GitHub also says it will do its best to protect participants against legal risk from third parties who won’t commit to the same level of safe harbor protections.

The expanded scope makes more GitHub products and services eligible for reward for security vulnerabilities that are discovered. Newly included this year are  GitHub Education, GitHub Learning Lab, GitHub Jobs, the GitHub Desktop application and GitHub Enterprise Cloud. 

The potential rewards are also greater. GitHub says this is partly to match the reward amounts offered by other companies offering similar programs, and partially in recognition that higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers. The main new levels see critical bugs worth from $20,000, but with no upper limit for a maximum reward. A guideline upper amount of $30,000 is the general likely limit, but GitHub is reserving the right to reward significantly more for truly cutting-edge research.

More Information

GitHub Security Bug Bounty program

Related Articles

GitHub Bug Bounty Program Expanded In Scope and Reward  

Bug Bounty Bonanza

Intel Extends Bug Bounty Program

Microsoft and Facebook Launch Internet Bug Bounty Scheme

New Android Bug Bounty Scheme

Microsoft Bug Bounty Extends Scope

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info