Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

GitHub Increases Bug Bounty Program Rewards, Expands Scope

After paying out $250,000 in bug bounties in 2018, GitHub has decided to increase rewards and expand the scope of its bug bounty program.

After paying out $250,000 in bug bounties in 2018, GitHub has decided to increase rewards and expand the scope of its bug bounty program.

GitHub revealed on Tuesday that last year it paid out $165,000 to researchers who took part in its public bug bounty program. Security experts also earned significant amounts of money through GitHub’s private bug bounty programs, researcher grants, and a live hacking event.

The hacking event took place in August in Las Vegas and it resulted in the discovery of 43 vulnerabilities, for which the company paid out nearly $75,000.

GitHub has announced some important changes to its bug bounty program for 2019, including the addition of legal safe harbor terms whose goal is to guarantee that researchers who look for vulnerabilities in its systems will not face legal action.

The company says researchers are safe from legal action even if they accidentally overstep the scope of the bug bounty program, and they don’t have to worry about violating terms of service and policies. For example, the GitHub Enterprise license restrictions prohibit reverse engineering, but reverse engineering will still be allowed if it’s related to finding vulnerabilities for in-scope services.

GitHub also announced that its bug bounty program now also covers GitHub Education, GitHub Learning Lab, GitHub Jobs, the GitHub Desktop application, and GitHub Enterprise Cloud.

“It’s not just about our user-facing systems. The security of our users’ data also depends on the security of our employees and our internal systems. That’s why we’re also including all first-party services under our employee-facing githubapp.com and github.net domains,” the company explained.

Finally, GitHub says it has decided that there will no longer be a maximum reward limit for critical vulnerabilities – it has listed $30,000 as the top limit, but the company says it’s just a guideline. High-severity issues can earn researchers up to $20,000, while medium-severity flaws can be worth as much as $10,000.

Related: GitHub Exposed Passwords of Some Users

Related: Hackers Earn Big Bounties for GitHub Enterprise Flaws

Related: GitLab Launches Public Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.