Microsoft-owned software development solutions provider GitHub announced on Friday that it has paid out more than $1.5 million through its bug bounty program since 2016, when it started using the HackerOne bug bounty platform.
According to the company, in 2020, it paid out over half a million dollars for more than 200 vulnerabilities affecting its products and services. The amount is roughly the same as in the previous year.
GitHub said it received more than 1,000 submissions through its public and private bug bounty programs, and claimed that its response times improved by 4 hours compared to 2019 — the average in 2020 was 13 hours to the first response.
The company also claims to have validated and triaged vulnerability reports within 24 hours on average, and rewards were paid out 24 days after the report was submitted.
GitHub has also shared some information on the private bug bounty programs conducted last year, and described one of the most interesting vulnerability reports it received in 2020.
The flaw was discovered by William Bowling, who demonstrated how an open redirect bug on GitHub.com could have been exploited to log into GitHub Gist for any user by tricking them into clicking on a malicious link. Bowling was awarded $10,000 for his findings.
“2021 has seen significant investment and growth across GitHub’s security program. In June, we created a new internal team dedicated to the execution and growth of our bug bounty program,” said Greg Ose, director of product security engineering at GitHub. “This team will help further accelerate and refine our triage and response process as well as expand into new initiatives such as live hacking events and additional private bug bounty programs.”
GitHub recently announced that it has updated its policies on vulnerability research, malware and exploits, pointing out that it welcomes and encourages dual-use security research. The changes were made following some controversy over the hosting of PoC exploits.
Related: Verizon, PayPal, Uber Paid Out Most Through Bug Bounty Programs on HackerOne
Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug
Related: Details Disclosed for GitHub Pages Flaws That Earned Researchers $35,000

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
