Bug bounty programs are springing up in more and more places every day, and the latest site to join the list is GitHub. The site is offering bounties of up to $5,000 to researchers who find vulnerabilities in the main GitHub Web property or some other applications.
The program is similar to ones run by many other companies such as Facebook, Google, PayPal and others, rewarding people who report vulnerabilities directly to the company. GitHub said most bounties will fall in the $100-$5,000 range, but the reward may go higher if there are unique circumstances.
“We are excited to launch the GitHub Bug Bounty to better engage with security researchers. The idea is simple: hackers and security researchers (like you) find and report vulnerabilities through our responsible disclosure process. Then, to recognize the significant effort that these researchers often put forth when hunting down bugs, we reward them with some cold hard cash,” the company said.
“For example, if you find a reflected XSS that is only possible in Opera, which is < 2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, which accounts for > 60% of our traffic, will earn a much larger reward.”
The open bounties right now consist of the main Github.com site, the GitHub API and the Gist product. GitHub is used by individual developers and groups to share code and manage projects. The company also is offering researchers points for the vulnerabilities that they report, and is maintaining a leader board of bug finders. Like most other bug bounty programs, the GitHub system requires that researchers not disclose a vulnerability publicly before it’s been fixed. The company also asks that researchers not use automated scanners or try to get access to another user’s account as part of the program.
Image from Flickr photos of Othree.