Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GitHub Raises Maximum Bug Bounty Payout to $10,000

Git repository hosting service GitHub has doubled the maximum amount of money it’s prepared to pay out to researchers who responsibly disclose vulnerabilities.

Git repository hosting service GitHub has doubled the maximum amount of money it’s prepared to pay out to researchers who responsibly disclose vulnerabilities.

GitHub launched its bug bounty program exactly one year ago. Over the past year, security experts submitted a total of 1,920 reports, of which 869 warranted further review. In the end, 73 previously unknown vulnerabilities were fixed, the company said.

As far as rewards are concerned, GitHub has paid out a total of $55,100 to 33 researchers who reported 57 medium to high risk security flaws. Up until this week, the maximum bounty payout was $5,000, but now GitHub has decided to double it to $10,000.

GitHub bug bounty program submissions

The top reporters so far are Aleksandr Dobkin, joernchen of Phenoelit, and Russian software developer Egor Homakov.

Dobkin has reported remote code execution, arbitrary file read, stored cross-site scripting (XSS), open redirect, and other types of vulnerabilities. One of the most interesting bugs identified by the researcher is a DOM-based XSS that leveraged a previously unknown flaw in Chrome. The vulnerability could have been exploited to bypass GitHub’s Content Security Policy.

Joernchen has discovered a MySQL typecasting authentication bypass, a two-factor authentication brute force issue, and a bug that could be leveraged to view the members of a team without authorization. However, the most interesting issue reported by the researcher is a vulnerability that could have been used to set arbitrary environment variables. The expert demonstrated that an attacker could have even executed arbitrary commands by exploiting this flaw.

GitHub’s bug bounty program covers the GitHub API, Gist, GitHub.com, and other applications developed and maintained by the company.

Bug bounty programs are said to be more cost-effective than hiring a team of security experts. This is probably why several high-profile organizations have launched responsible vulnerability disclosure programs over the past year. The list includes Twitter, Pinterest, Blackphone/Silent Circle, and Riot Games.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.