GitHub build out its bug bounty programme and increases reward for spotted flaws

Code repository now offers up to £30,000 for the discovery of critical vulnerabilities

Github code

GitHub is to build up its bug bounty programme, with plans to remove maximum award limits and increase the extent of what its program covers.

The programme has been running five years with the organisation paying out $165,000 to researchers through the public bug bounty program. In total, it has paid out $250,000 to security researchers in 2018 through its programme, research grants, private bug bounty programs, and a live-hacking event

In a blog post, GitHub's Philip Turnbull said that his company would increase reward amounts at all levels. The new rewards are: Critical: $20,000 $30,000+, High: $10,000 $20,000, Medium: $4,000 $10,000, and Low: $617 $2,000.

"Although we've listed $30,000 as a guideline amount for critical vulnerabilities, we're reserving the right to reward significantly more for truly cutting-edge research," said Turnbull. He added that finding higher-severity vulnerabilities in GitHub's products is becoming increasingly difficult for researchers and they should be rewarded for their efforts.

He also said the GitHub would expand the scope of the program to reward vulnerabilities in all first-party services hosted under its domain. his includes GitHub Education, GitHub Learning Lab, GitHub Jobs, and our GitHub Desktop application.

"It's not just about our user-facing systems. The security of our users' data also depends on the security of our employees and our internal systems. That's why we're also including all first-party services under our employee-facing and domains," said Turnbull.

GitHub has also added a set of Legal Safe Harbor terms to its site policy based on CC0-licensed templates. This addresses three potential areas of risk and extends protections and authorisations if researchers accidentally overstep the bounty program's scope.

"Our safe harbor now includes a firm commitment not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants' bounty program research activities. You remain protected even for good faith violations of the bounty policy," said Turnbull.

There is also a commitment to protect researchers against legal risk from third parties who won't commit to the same level of safe harbor protections.

"We will share only non-identifying information with third parties, and only after notifying you and getting that third party's written commitment not to pursue legal action against you. Unless we get your written permission, we will not share identifying information with a third party," said Turnbull.

Lastly, GitHub's safe harbour now provides a limited waiver for relevant parts of its site terms and policies, and Turnbull noted: "This protects against legal risk from DMCA anti-circumvention rules or similar contract terms that could otherwise prohibit necessary research tasks like reverse engineering or deobfuscating code."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021