GitHub Paid Out Over $1 Million in Bug Bounties

GitHub this week announced that it has paid out over $1 million in rewards to the security researchers participating in its bug bounty program on HackerOne.

The security bug bounty program was launched on the hacker-powered platform in 2016, but GitHub has been accepting vulnerability reports since February 2014.

Last year alone, the Microsoft-owned service paid almost $590,000 in total bounty rewards across its programs, and says it was able to maintain an average response time of 17 hours despite an increase in submissions of 40%.

In 2019, GitHub released several new features that were added to its bug bounty program, such as functionality to keep engineers informed of new pull requests that need attention, an improved vulnerability tracking feature in automated security updates, GitHub for mobile, GitHub Actions, and Semmle’s LGTM tool.

The code repository platform says that some of the submissions it received for vulnerabilities in these products proved highly valuable for the development cycle. GitHub awarded more than $20,000 in bounties for security bugs in the products in this expanded scope.

One of the most important vulnerability submissions received last year was an OAuth flow bypass using cross-site HEAD requests, which effectively allowed an attacker to bypass the platform’s controls and authorize OAuth applications without any user interaction.

The platform was able to release a patch for this severe vulnerability within three hours after receiving the initial submission, although the vulnerability was not being exploited in the wild. The reporting researcher received a $25,000 reward for discovering the bug.

Another important security issue GitHub patched last year was a remote code execution through command injection on GitHub.com. The flaw existed because the branch names were not correctly sanitized in the Mercurial import feature.

“What makes this bug particularly interesting is the root cause: it was ultimately caused by an outdated dependency. The bug existed in a dependency that handles code imports and was previously fixed upstream. However, we failed to keep up with the latest version and were ultimately vulnerable to this issue,” GitHub explains.

In August last year, the platform participated in the H1-702 event in Las Vegas, where top hackers from HackerOne’s platform were invited for three nights of live hacking. The event, GitHub says, was a success, and it paid over $155,000 to researchers in one night, with half of the rewards being handed out for high or critical severity issues.

The platform also conducted a private, invite-only program where some features were previewed before their official rollout, which allowed it to discover bugs before they could affect users. More than $37,000 was awarded in bounties via the private program.

For 2020, GitHub is committed to moving forward with the Security Lab bounty program, which aims to secure all open source software, and says it will be assigning CVEs to submissions that affect GitHub Enterprise Server.

Related: New GitHub Security Lab Aims to Secure Open Source Software

Related: GitHub Becomes CVE Numbering Authority, Acquires Semmle

Related: GitHub Increases Bug Bounty Program Rewards, Expands Scope