GitHub Doubles Down on Maximum Bug Bounty Payouts

GitHub announced that it has doubled the maximum payouts possible via its bug bounty program to $10,000.

Almost a year to the day since Github announced its bug bounty program, the Git repository said yesterday that it will double its maximum payout to $10,000.

Ben Toews, a GitHub staffer, said yesterday that since the launch of the GitHub Security Bug Bounty, 73 previously unknown vulnerabilities have been patched.

“Of 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications,” Toews said in a post to the GitHub blog. He added that GitHub has paid out $50,100 in bounties to 33 different researchers reporting 57 medium- to high-risk security issues.

“We saw some incredibly involved and creative vulnerabilities reported,” Toews said.

GitHub pays bounties for verifiable bugs in the GitHub API, GitHub Gist, and the GitHub.com website. Until yesterday, rewards ranged from $100 to $5,000 in each open bounty. The API, for example, exposes a lot of the website’s functionality and data so it was a priority. The Gist is a GitHub code-sharing product built on Ruby on Rails and other open source components; bounties here vary depending on certain factors, GitHub said. As for the website, bounties there too depend on different factors and risks.

Bug bounties are an efficient and economical way for under-resourced organizations to expose applications to researchers who can help identify and fix potentially critical security vulnerabilities. Larger organizations such as Facebook have prominent in-house bounties. Facebook’s, for example, paid out $1.5 million in 2013 with submissions growing almost 250 percent year over year.

Others are taking advantage of bug bounty platforms offered by providers such as BugCrowd and HackerOne. In these cases, providers essentially crowdsource vulnerability discovery and management. A self-contained community hammers away at applications on these respective platforms and earn bounties for bugs that meet certain criteria.

GitHub’s Toews pointed out one of GitHub’s top bug submitters, Aleksandr Dobkin, who found a troubling cross-site scripting flaw that when combined with a zero day in Google’s Chrome browser achieved a bypass of GitHub’s content security policy.

GitHub maintains a leaderboard of its top bug hunters. The system requires that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub, or access another user’s account as part of the program.

Toews said vulnerabilities can be submitted here, and should also be accompanied by proper documentation that will allow GitHub to reproduce the vulnerability.

Suggested articles