GitHub build out its bug bounty programme and increases reward for spotted flaws

Code repository now offers up to £30,000 for the discovery of critical vulnerabilities

Github code

GitHub is to build up its bug bounty programme, with plans to remove maximum award limits and increase the extent of what its program covers.

The programme has been running five years with the organisation paying out $165,000 to researchers through the public bug bounty program. In total, it has paid out $250,000 to security researchers in 2018 through its programme, research grants, private bug bounty programs, and a live-hacking event

Advertisement - Article continues below

In a blog post, GitHub's Philip Turnbull said that his company would increase reward amounts at all levels. The new rewards are: Critical: $20,000 $30,000+, High: $10,000 $20,000, Medium: $4,000 $10,000, and Low: $617 $2,000.

"Although we've listed $30,000 as a guideline amount for critical vulnerabilities, we're reserving the right to reward significantly more for truly cutting-edge research," said Turnbull. He added that finding higher-severity vulnerabilities in GitHub's products is becoming increasingly difficult for researchers and they should be rewarded for their efforts.

He also said the GitHub would expand the scope of the program to reward vulnerabilities in all first-party services hosted under its domain. his includes GitHub Education, GitHub Learning Lab, GitHub Jobs, and our GitHub Desktop application.

"It's not just about our user-facing systems. The security of our users' data also depends on the security of our employees and our internal systems. That's why we're also including all first-party services under our employee-facing and domains," said Turnbull.

Advertisement - Article continues below
Advertisement - Article continues below

GitHub has also added a set of Legal Safe Harbor terms to its site policy based on CC0-licensed templates. This addresses three potential areas of risk and extends protections and authorisations if researchers accidentally overstep the bounty program's scope.

"Our safe harbor now includes a firm commitment not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants' bounty program research activities. You remain protected even for good faith violations of the bounty policy," said Turnbull.

There is also a commitment to protect researchers against legal risk from third parties who won't commit to the same level of safe harbor protections.

"We will share only non-identifying information with third parties, and only after notifying you and getting that third party's written commitment not to pursue legal action against you. Unless we get your written permission, we will not share identifying information with a third party," said Turnbull.

Lastly, GitHub's safe harbour now provides a limited waiver for relevant parts of its site terms and policies, and Turnbull noted: "This protects against legal risk from DMCA anti-circumvention rules or similar contract terms that could otherwise prohibit necessary research tasks like reverse engineering or deobfuscating code."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

Is it time to put Intel Outside?

10 Jul 2020