Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

GitHub Paid Out Over $1.5 Million via Bug Bounty Program Since 2016

Microsoft-owned software development solutions provider GitHub announced on Friday that it has paid out more than $1.5 million through its bug bounty program since 2016, when it started using the HackerOne bug bounty platform.

Microsoft-owned software development solutions provider GitHub announced on Friday that it has paid out more than $1.5 million through its bug bounty program since 2016, when it started using the HackerOne bug bounty platform.

According to the company, in 2020, it paid out over half a million dollars for more than 200 vulnerabilities affecting its products and services. The amount is roughly the same as in the previous year.

GitHub said it received more than 1,000 submissions through its public and private bug bounty programs, and claimed that its response times improved by 4 hours compared to 2019 — the average in 2020 was 13 hours to the first response.

The company also claims to have validated and triaged vulnerability reports within 24 hours on average, and rewards were paid out 24 days after the report was submitted.

GitHub has also shared some information on the private bug bounty programs conducted last year, and described one of the most interesting vulnerability reports it received in 2020.

The flaw was discovered by William Bowling, who demonstrated how an open redirect bug on GitHub.com could have been exploited to log into GitHub Gist for any user by tricking them into clicking on a malicious link. Bowling was awarded $10,000 for his findings.

“2021 has seen significant investment and growth across GitHub’s security program. In June, we created a new internal team dedicated to the execution and growth of our bug bounty program,” said Greg Ose, director of product security engineering at GitHub. “This team will help further accelerate and refine our triage and response process as well as expand into new initiatives such as live hacking events and additional private bug bounty programs.”

GitHub recently announced that it has updated its policies on vulnerability research, malware and exploits, pointing out that it welcomes and encourages dual-use security research. The changes were made following some controversy over the hosting of PoC exploits.

Advertisement. Scroll to continue reading.

Related: Verizon, PayPal, Uber Paid Out Most Through Bug Bounty Programs on HackerOne

Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug

Related: Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...