GitHub build out its bug bounty programme and increases reward for spotted flaws

Code repository now offers up to £30,000 for the discovery of critical vulnerabilities

Github code

GitHub is to build up its bug bounty programme, with plans to remove maximum award limits and increase the extent of what its program covers.

The programme has been running five years with the organisation paying out $165,000 to researchers through the public bug bounty program. In total, it has paid out $250,000 to security researchers in 2018 through its programme, research grants, private bug bounty programs, and a live-hacking event

In a blog post, GitHub's Philip Turnbull said that his company would increase reward amounts at all levels. The new rewards are: Critical: $20,000 $30,000+, High: $10,000 $20,000, Medium: $4,000 $10,000, and Low: $617 $2,000.

"Although we've listed $30,000 as a guideline amount for critical vulnerabilities, we're reserving the right to reward significantly more for truly cutting-edge research," said Turnbull. He added that finding higher-severity vulnerabilities in GitHub's products is becoming increasingly difficult for researchers and they should be rewarded for their efforts.

He also said the GitHub would expand the scope of the program to reward vulnerabilities in all first-party services hosted under its github.com domain. his includes GitHub Education, GitHub Learning Lab, GitHub Jobs, and our GitHub Desktop application.

"It's not just about our user-facing systems. The security of our users' data also depends on the security of our employees and our internal systems. That's why we're also including all first-party services under our employee-facing githubapp.com and github.net domains," said Turnbull.

GitHub has also added a set of Legal Safe Harbor terms to its site policy based on CC0-licensed templates. This addresses three potential areas of risk and extends protections and authorisations if researchers accidentally overstep the bounty program's scope.

"Our safe harbor now includes a firm commitment not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants' bounty program research activities. You remain protected even for good faith violations of the bounty policy," said Turnbull.

There is also a commitment to protect researchers against legal risk from third parties who won't commit to the same level of safe harbor protections.

"We will share only non-identifying information with third parties, and only after notifying you and getting that third party's written commitment not to pursue legal action against you. Unless we get your written permission, we will not share identifying information with a third party," said Turnbull.

Lastly, GitHub's safe harbour now provides a limited waiver for relevant parts of its site terms and policies, and Turnbull noted: "This protects against legal risk from DMCA anti-circumvention rules or similar contract terms that could otherwise prohibit necessary research tasks like reverse engineering or deobfuscating code."

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020