Security Experts:

GitHub Paid $100,000 Since Launch of Bug Bounty Program

Git repository hosting service GitHub announced last week that it has paid out nearly $100,000 to researchers who have contributed to making the platform more secure since the launch of the company’s bug bounty program two years ago.

GitHub reported receiving just over 7,000 vulnerability submissions since January 2014. Of these, 1,772 were further investigated by the company’s security team and a total of 102 flaws, including 16 rated high or critical, earned the 58 researchers who reported them $95,300.

In some cases, the reported flaws were caused by issues in web browsers, but GitHub said it managed to roll out fixes to protect its customers months before browser vendors got around to releasing patches.

While in 2014 most bug bounty reports focused on GitHub’s web services, in 2015, experts reported several vulnerabilities in desktop applications, including remote code execution flaws in GitHub for Mac and Windows.

If bounty hunters want to donate their reward to a charity, GitHub matches the amount. The list of organizations that have benefited from this initiative includes Doctors Without Borders, the Tor Project, the Ada Initiative, the EFF, and the Washington State Burn Foundation.

GitHub, which is currently said to be undergoing a full-blown overhaul, doubled its maximum bug bounty payout to $10,000 in January 2015, after in the first year of running the program the company awarded researchers a total of $55,000 for their contribution.

The amount of money paid out by GitHub as part of its bug bounty program is comparable to LinkedIn, which in June 2015 reported rewards totaling $65,000 since the launch of its program in October 2014. In around the same period, Google reported paying out more than $4 million since 2010, while Facebook reported bounties of more than $3 million since 2011.

Related: Malwarebytes Launches Bug Bounty Program

Related: Tor Project to Launch Bug Bounty Program

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.