2022 was GitHub's biggest bug bounty year in its 9-year history. It paid out more than $1.5M in bounties for 364 vulnerabilities, bringing the total rewards via HackerOne since 2016 to $3.8M.

Twelve months ago, in its eighth year blog post, GitHub laid out its goals for this past year: hosting a live hacking event with HackerOne, increasing its private bounty engagements, and creating new non-monetary incentives for the hacker community.

In this week's blog post, reporting on the ninth year of the program, Jill Moné-Corallo who is Director of Product Security Engineering Response  and oversees the Bug Bounty teams writes:

On top of accomplishing these goals, we surpassed the $3,000,000 mark in total payments and grew our internal bug bounty team. We say this often, but it remains true: security is core to GitHub’s mission, and we believe the foundation of a successful security bug bounty program is partnership with talented security researchers.

She went on to provide some impressive statistics for the period from February 2022 to February 2023:

• Awarded $1,576,364 in bounties for 364 vulnerabilities. This brings the total rewards  paid out via HackerOne since 2016 to $3,839,287.
• Grew contributors to the program by 21% and saw a 58% increase in first‐time reports
• Received 2,042 submissions across its public and private programs, with June 2022 becoming the new record month with 294 submissions

It was June 2022 when GitHub hosted a Live Hacking Event with HackerOne. H1-512 took place in Austin, Texas, over a 2-week period and attracted 

We hosted a Live Hacking Event, H1-512, with HackerOne in Austin June 6-17, 2022. During this two-week event, 45 in-person and remote participants from 19 different countries dedicated their time and effort to finding security vulnerabilities across GitHub, with a special focus on GitHub Copilot, Codespaces and GitHub code search. Bounty rewards were all increased during this event, and additional bonuses were offered for exceptional reports and areas of key focus. Researchers submitted a total of 182 reports, of which 94 (52%) were valid. With the increased bounty rewards and bonuses, bounty awards for the event totaled $696,000 which included $137,975 of awards that the researchers elected to donate to nonprofits and were matched by GitHub.

The aim to introduce non-monetary incentives for the hacker community was realized in January 2023 when the GitHub Bug Bounty swag store was launched. According to Jill Moné-Corallo:

The addition of the swag store comes from many conversations and feedback on how we can continue to improve our bug bounty program. We learned that not only do our researchers genuinely enjoy receiving swag but they also like to show off their involvement with our bounty program.

By submitting reports, researchers have the ability to receive points that can be redeemed for t-shirts, sweatshirts, stickers, and other  items, such as this Octoplush.

More Information

GitHub Security Bug Bounty program

Nine years of the GitHub Security Bug Bounty program

Related Articles

GitHub Security Bug Bounty Milestones

GitHub Bounty Program Increases Rewards 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info