GitHub Security Bug Bounty Milestones |
Written by Alex Armstrong |
Thursday, 02 April 2020 |
GitHub recently passed $1,000,000 in total payments to researchers since moving its program to HackerOne in 2016. Over half its total awards were made in the last year alone, reaching almost $590,000 in total bounty rewards across its programs. It is now over six years since GitHub initiated its Security Bug Bounty program which offers rewards of $30,000 or more for critical vulnerabilities. It saw a 40 percent increase in submissions last year and prides itself on its quick response time - maintaining an average response time of 17 hours. In his recent blog post, Brian Anglin writes: One of my favorite parts of working on the bug bounty program is getting to see the amazing submissions we get from the community. Many of the best submissions show an understanding of GitHub and our technology that rivals that of our own engineering teams. We’ve offered very competitive bounties so we can attract those talented individuals and provide them an incentive to spend time digging deep into our codebase. The community in 2019 did not disappoint. He goes on to outline two specific exploits, an OAuth flow bypass using cross-site HEAD requests and a GitHub.com remote code execution through command injection together with GitHub's response to them. As we reported when they occurred, GitHub made notable security related acquisitions in 2019,including Dependabot and Semmie. Referring to their impact on the bug bounty program the blog post explains:
GitHub has again expanded the scope of the Security Bug Bounty program to take account of its latest significant new features. GitHub for mobile which, as we reported is now available for Android and iOS was GirHub's first presence in the App Store/Google Play, introduced new security concerns as did GitHub Actions, one of GitHub’s biggest releases, which brought with it whole classes of new security corner cases. The program has already paid out over $20,000 in bounties for vulnerabilities affecting the products in this expanded scope, and the scope of the program is set to continue to expand as GitHub grows.
More Information GitHub Security Bug Bounty program Six years of the GitHub Security Bug Bounty program Related ArticlesOver $21 Million In Google Bug Bounty GitHub Bounty Program Increases Rewards GitHub Adds New Code Security Features GitHub Buys Semmle, Becomes CVE Numbering Authority GitHub Bug Bounty Program Expanded In Scope and Reward Intel Extends Bug Bounty Program Microsoft and Facebook Launch Internet Bug Bounty Scheme Microsoft Bug Bounty Extends Scope To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
Comments
or email your comment to: comments@i-programmer.info |
Last Updated ( Thursday, 02 April 2020 ) |