IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub bug bounty payouts surpass $1.5 million

The Microsoft-owned company's bounty programme, which launched on HackerOne in 2016, awarded more than $500,000 in the last 12 months

GitHub awarded $524,250 (£377,017) in bug bounties in the last year, bringing total payouts from the five-year-old programme to $1,552,004.

The company said that 2020 was the programme's “busiest year yet”, and from February 2020 to 2021, it handled a higher volume of submissions than any previous year. The over half a million in bounties was awarded for 203 vulnerabilities in its products and services.

In total, 1,066 submissions were made to the programme, which was launched in 2016 on HackerOne. The Microsoft-owned company’s response time improved by four hours from 2019 to an average of 13 hours to first response.

Furthermore, submissions were validated and triaged internally to partner teams within 24 hours on average, while bounties were paid out 24 days after the submission of an eligible report.

One of the “most interesting” submissions GitHub received in 2020 was an open redirect vulnerability discovered by William Bowling which was awarded $10,000. The vulnerability on GitHub.com could be used to compromise the OAuth flow of Gist users.

Moreover, GitHub also became a CVE Number Authority (CNA) in 2020 where it began issuing CVEs for vulnerabilities in GitHub Enterprise Server. “Being a CNA allows us to clearly and consistently communicate to customers the issues that are fixed in our products, allowing customers to properly identify outdated GitHub Enterprise Server instances and prioritise upgrades,” stated the company.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

At the start of June, GitHub updated its policies to reduce the potential for hackers to abuse the platform, including blocking any code used in ongoing attacks. The change explicitly allowed dual-use security technologies and content related to security research to remain on the platform but will take action against projects that may lead to causing harm to others. GitHub users are prohibited from uploading or sharing any content through the platform which can deliver malicious files, or from manipulating it to serve as a Command and Control infrastructure.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

GitHub's latest security updates aim to protect projects in their earliest stages
Development

GitHub's latest security updates aim to protect projects in their earliest stages

7 Apr 2022
GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta
Development

GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta

25 Feb 2022
GitHub goes open source on security research
Development

GitHub goes open source on security research

22 Feb 2022
GitHub launches code scanning tool for JavaScript and TypeScript projects
Development

GitHub launches code scanning tool for JavaScript and TypeScript projects

18 Feb 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022