Vulnerabilities

GitHub Raises Maximum Bug Bounty Payout to $10,000

Git repository hosting service GitHub has doubled the maximum amount of money it’s prepared to pay out to researchers who responsibly disclose vulnerabilities.

Eduard Kovacs

January 30, 2015

Git repository hosting service GitHub has doubled the maximum amount of money it’s prepared to pay out to researchers who responsibly disclose vulnerabilities.

GitHub launched its bug bounty program exactly one year ago. Over the past year, security experts submitted a total of 1,920 reports, of which 869 warranted further review. In the end, 73 previously unknown vulnerabilities were fixed, the company said.

As far as rewards are concerned, GitHub has paid out a total of $55,100 to 33 researchers who reported 57 medium to high risk security flaws. Up until this week, the maximum bounty payout was $5,000, but now GitHub has decided to double it to $10,000.

GitHub bug bounty program submissions

The top reporters so far are Aleksandr Dobkin, joernchen of Phenoelit, and Russian software developer Egor Homakov.

Dobkin has reported remote code execution, arbitrary file read, stored cross-site scripting (XSS), open redirect, and other types of vulnerabilities. One of the most interesting bugs identified by the researcher is a DOM-based XSS that leveraged a previously unknown flaw in Chrome. The vulnerability could have been exploited to bypass GitHub’s Content Security Policy.

Joernchen has discovered a MySQL typecasting authentication bypass, a two-factor authentication brute force issue, and a bug that could be leveraged to view the members of a team without authorization. However, the most interesting issue reported by the researcher is a vulnerability that could have been used to set arbitrary environment variables. The expert demonstrated that an attacker could have even executed arbitrary commands by exploiting this flaw.

GitHub’s bug bounty program covers the GitHub API, Gist, GitHub.com, and other applications developed and maintained by the company.

Bug bounty programs are said to be more cost-effective than hiring a team of security experts. This is probably why several high-profile organizations have launched responsible vulnerability disclosure programs over the past year. The list includes Twitter, Pinterest, Blackphone/Silent Circle, and Riot Games.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Derek Manky

How the Atomized Network Changed Enterprise Protection

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.

Matt Wilson

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George

Why CISOs Make Great Board Members

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make for successful board members.

Galina Antova