Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

GitHub Increases Bug Bounty Program Rewards, Expands Scope

After paying out $250,000 in bug bounties in 2018, GitHub has decided to increase rewards and expand the scope of its bug bounty program.

After paying out $250,000 in bug bounties in 2018, GitHub has decided to increase rewards and expand the scope of its bug bounty program.

GitHub revealed on Tuesday that last year it paid out $165,000 to researchers who took part in its public bug bounty program. Security experts also earned significant amounts of money through GitHub’s private bug bounty programs, researcher grants, and a live hacking event.

The hacking event took place in August in Las Vegas and it resulted in the discovery of 43 vulnerabilities, for which the company paid out nearly $75,000.

GitHub has announced some important changes to its bug bounty program for 2019, including the addition of legal safe harbor terms whose goal is to guarantee that researchers who look for vulnerabilities in its systems will not face legal action.

The company says researchers are safe from legal action even if they accidentally overstep the scope of the bug bounty program, and they don’t have to worry about violating terms of service and policies. For example, the GitHub Enterprise license restrictions prohibit reverse engineering, but reverse engineering will still be allowed if it’s related to finding vulnerabilities for in-scope services.

GitHub also announced that its bug bounty program now also covers GitHub Education, GitHub Learning Lab, GitHub Jobs, the GitHub Desktop application, and GitHub Enterprise Cloud.

“It’s not just about our user-facing systems. The security of our users’ data also depends on the security of our employees and our internal systems. That’s why we’re also including all first-party services under our employee-facing githubapp.com and github.net domains,” the company explained.

Finally, GitHub says it has decided that there will no longer be a maximum reward limit for critical vulnerabilities – it has listed $30,000 as the top limit, but the company says it’s just a guideline. High-severity issues can earn researchers up to $20,000, while medium-severity flaws can be worth as much as $10,000.

Advertisement. Scroll to continue reading.

Related: GitHub Exposed Passwords of Some Users

Related: Hackers Earn Big Bounties for GitHub Enterprise Flaws

Related: GitLab Launches Public Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...