GitHub build out its bug bounty programme and increases reward for spotted flaws

Code repository now offers up to £30,000 for the discovery of critical vulnerabilities

GitHub is to build up its bug bounty programme, with plans to remove maximum award limits and increase the extent of what its program covers.

The programme has been running five years with the organisation paying out $165,000 to researchers through the public bug bounty program. In total, it has paid out $250,000 to security researchers in 2018 through its programme, research grants, private bug bounty programs, and a live-hacking event

In a blog post, GitHub's Philip Turnbull said that his company would increase reward amounts at all levels. The new rewards are: Critical: $20,000 $30,000+, High: $10,000 $20,000, Medium: $4,000 $10,000, and Low: $617 $2,000.

"Although we've listed $30,000 as a guideline amount for critical vulnerabilities, we're reserving the right to reward significantly more for truly cutting-edge research," said Turnbull. He added that finding higher-severity vulnerabilities in GitHub's products is becoming increasingly difficult for researchers and they should be rewarded for their efforts.

He also said the GitHub would expand the scope of the program to reward vulnerabilities in all first-party services hosted under its github.com domain. his includes GitHub Education, GitHub Learning Lab, GitHub Jobs, and our GitHub Desktop application.

"It's not just about our user-facing systems. The security of our users' data also depends on the security of our employees and our internal systems. That's why we're also including all first-party services under our employee-facing githubapp.com and github.net domains," said Turnbull.

GitHub has also added a set of Legal Safe Harbor terms to its site policy based on CC0-licensed templates. This addresses three potential areas of risk and extends protections and authorisations if researchers accidentally overstep the bounty program's scope.

"Our safe harbor now includes a firm commitment not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants' bounty program research activities. You remain protected even for good faith violations of the bounty policy," said Turnbull.

There is also a commitment to protect researchers against legal risk from third parties who won't commit to the same level of safe harbor protections.

"We will share only non-identifying information with third parties, and only after notifying you and getting that third party's written commitment not to pursue legal action against you. Unless we get your written permission, we will not share identifying information with a third party," said Turnbull.

Lastly, GitHub's safe harbour now provides a limited waiver for relevant parts of its site terms and policies, and Turnbull noted: "This protects against legal risk from DMCA anti-circumvention rules or similar contract terms that could otherwise prohibit necessary research tasks like reverse engineering or deobfuscating code."

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021