Microsoft-owned software development solutions provider GitHub announced on Friday that it has paid out more than $1.5 million through its bug bounty program since 2016, when it started using the HackerOne bug bounty platform.
According to the company, in 2020, it paid out over half a million dollars for more than 200 vulnerabilities affecting its products and services. The amount is roughly the same as in the previous year.
GitHub said it received more than 1,000 submissions through its public and private bug bounty programs, and claimed that its response times improved by 4 hours compared to 2019 — the average in 2020 was 13 hours to the first response.
The company also claims to have validated and triaged vulnerability reports within 24 hours on average, and rewards were paid out 24 days after the report was submitted.
GitHub has also shared some information on the private bug bounty programs conducted last year, and described one of the most interesting vulnerability reports it received in 2020.
The flaw was discovered by William Bowling, who demonstrated how an open redirect bug on GitHub.com could have been exploited to log into GitHub Gist for any user by tricking them into clicking on a malicious link. Bowling was awarded $10,000 for his findings.
“2021 has seen significant investment and growth across GitHub’s security program. In June, we created a new internal team dedicated to the execution and growth of our bug bounty program,” said Greg Ose, director of product security engineering at GitHub. “This team will help further accelerate and refine our triage and response process as well as expand into new initiatives such as live hacking events and additional private bug bounty programs.”
GitHub recently announced that it has updated its policies on vulnerability research, malware and exploits, pointing out that it welcomes and encourages dual-use security research. The changes were made following some controversy over the hosting of PoC exploits.