Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Funding/M&A

GitHub Paid Out Over $1 Million in Bug Bounties

GitHub this week announced that it has paid out over $1 million in rewards to the security researchers participating in its bug bounty program on HackerOne.

The security bug bounty program was launched on the hacker-powered platform in 2016, but GitHub has been accepting vulnerability reports since February 2014.

GitHub this week announced that it has paid out over $1 million in rewards to the security researchers participating in its bug bounty program on HackerOne.

The security bug bounty program was launched on the hacker-powered platform in 2016, but GitHub has been accepting vulnerability reports since February 2014.

Last year alone, the Microsoft-owned service paid almost $590,000 in total bounty rewards across its programs, and says it was able to maintain an average response time of 17 hours despite an increase in submissions of 40%.

In 2019, GitHub released several new features that were added to its bug bounty program, such as functionality to keep engineers informed of new pull requests that need attention, an improved vulnerability tracking feature in automated security updates, GitHub for mobile, GitHub Actions, and Semmle’s LGTM tool.

The code repository platform says that some of the submissions it received for vulnerabilities in these products proved highly valuable for the development cycle. GitHub awarded more than $20,000 in bounties for security bugs in the products in this expanded scope.

One of the most important vulnerability submissions received last year was an OAuth flow bypass using cross-site HEAD requests, which effectively allowed an attacker to bypass the platform’s controls and authorize OAuth applications without any user interaction.

The platform was able to release a patch for this severe vulnerability within three hours after receiving the initial submission, although the vulnerability was not being exploited in the wild. The reporting researcher received a $25,000 reward for discovering the bug.

Another important security issue GitHub patched last year was a remote code execution through command injection on GitHub.com. The flaw existed because the branch names were not correctly sanitized in the Mercurial import feature.

“What makes this bug particularly interesting is the root cause: it was ultimately caused by an outdated dependency. The bug existed in a dependency that handles code imports and was previously fixed upstream. However, we failed to keep up with the latest version and were ultimately vulnerable to this issue,” GitHub explains.

In August last year, the platform participated in the H1-702 event in Las Vegas, where top hackers from HackerOne’s platform were invited for three nights of live hacking. The event, GitHub says, was a success, and it paid over $155,000 to researchers in one night, with half of the rewards being handed out for high or critical severity issues.

The platform also conducted a private, invite-only program where some features were previewed before their official rollout, which allowed it to discover bugs before they could affect users. More than $37,000 was awarded in bounties via the private program.

For 2020, GitHub is committed to moving forward with the Security Lab bounty program, which aims to secure all open source software, and says it will be assigning CVEs to submissions that affect GitHub Enterprise Server.

Related: New GitHub Security Lab Aims to Secure Open Source Software

Related: GitHub Becomes CVE Numbering Authority, Acquires Semmle

Related: GitHub Increases Bug Bounty Program Rewards, Expands Scope

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.