GitHub Paid Out $1.5 Million in Bug Bounties in 2022

Microsoft-owned code hosting platform GitHub on Tuesday announced that it paid out more than $1.57 million in rewards through its bug bounty program between February 2022 and February 2023.

As part of the program, which has been running on the HackerOne platform since 2016, GitHub handed out a total of over $3.8 million in bug bounty rewards.

Last year, the code hosting platform received more than 2,000 vulnerability reports and awarded bounties for 364 security defects. The highest number of submissions was registered in June 2022, during its H1-512 live hacking event in Austin.

A total of 45 in-person and remote researchers participated in the hacking event. Roughly half of the 182 received submissions were validated and GitHub handed out close to $700,000 in bug bounties.

“H1-512 was a fantastic opportunity for our team to experience the excitement and passion of our hackers in person. This event enabled us to break down the barriers of the screen and to make meaningful connections,” GitHub says.

The platform started a limited disclosure of reports for vulnerabilities in GitHub Enterprise Server (GHES) and open source projects that receive a CVE identifier, and plans to disclose more reports via HackerOne.

Additionally, GitHub continues to find new ways to expand its rewards for the reporting researchers, and says it will complement eligible submissions with non-monetary rewards to attract more white hat hackers to its bug bounty program.

“We encourage researchers of all levels to submit reports to our bug bounty program. Your submissions are greatly valued and impactful to ensuring the safety and security of our products, our users, and the community,” GitHub notes.

Related: GitHub Warns of North Korean Social Engineering Attacks Targeting Tech Firm Employees

Related: GitHub Secret-Blocking Feature Now Generally Available

Related: GitHub Announces New Security Improvements