GitHub bug bounty payouts surpass $1.5 million

The Microsoft-owned company's bounty programme, which launched on HackerOne in 2016, awarded more than $500,000 in the last 12 months

GitHub awarded $524,250 (£377,017) in bug bounties in the last year, bringing total payouts from the five-year-old programme to $1,552,004.

The company said that 2020 was the programme's “busiest year yet”, and from February 2020 to 2021, it handled a higher volume of submissions than any previous year. The over half a million in bounties was awarded for 203 vulnerabilities in its products and services.

In total, 1,066 submissions were made to the programme, which was launched in 2016 on HackerOne. The Microsoft-owned company’s response time improved by four hours from 2019 to an average of 13 hours to first response.

Furthermore, submissions were validated and triaged internally to partner teams within 24 hours on average, while bounties were paid out 24 days after the submission of an eligible report.

One of the “most interesting” submissions GitHub received in 2020 was an open redirect vulnerability discovered by William Bowling which was awarded $10,000. The vulnerability on GitHub.com could be used to compromise the OAuth flow of Gist users.

Moreover, GitHub also became a CVE Number Authority (CNA) in 2020 where it began issuing CVEs for vulnerabilities in GitHub Enterprise Server. “Being a CNA allows us to clearly and consistently communicate to customers the issues that are fixed in our products, allowing customers to properly identify outdated GitHub Enterprise Server instances and prioritise upgrades,” stated the company.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

At the start of June, GitHub updated its policies to reduce the potential for hackers to abuse the platform, including blocking any code used in ongoing attacks. The change explicitly allowed dual-use security technologies and content related to security research to remain on the platform but will take action against projects that may lead to causing harm to others. GitHub users are prohibited from uploading or sharing any content through the platform which can deliver malicious files, or from manipulating it to serve as a Command and Control infrastructure.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

GitHub revokes duplicate SSH auth keys generated by keypair library
cyber security

GitHub revokes duplicate SSH auth keys generated by keypair library

12 Oct 2021
StackHawk announces native dynamic application and API security testing for GitHub
cyber security

StackHawk announces native dynamic application and API security testing for GitHub

13 Aug 2021
GitHub is opening Codespaces to enterprises
software development

GitHub is opening Codespaces to enterprises

12 Aug 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021