GitHub launches bounty program, promises $5k max reward

GitHub has announced a bug bounty program that will reward researchers anywhere from $100 to $5,000 for reported vulnerabilities.

Following the success of bounty programs launched by Google, Microsoft, and Mozilla, GitHub has announced a reward scheme that promises to pay anywhere from $100 to $5,000 to researchers who disclose vulnerabilities responsibly. The program is open to all researchers who are at least 13 years of age.

In a statement, GitHub said it was about having more eyes in place to help discover problems:

"Our users' trust is something we never take for granted here at GitHub. In order to earn and keep that trust we are always working to improve the security of our services. Some vulnerabilities, however, can be very hard to track down and it never hurts to have more eyes."

The program itself just started, so there are some limits as to what can be tested and how tests can be performed. Currently, the bounty program only accepts reports that focus on GitHub.com, GitHub Gist, and the GitHub API. The payouts will be determined on a number of factors, including scale and scope:

"Our security and development teams take many factors into account when determining a reward. These factors include the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems. Sometimes an otherwise critical vulnerability has a very low impact simply because it is mitigated by some other component, e.g. requires user interaction, an obscure web browser, or would need to be combined with another vulnerability that does not currently exist."

There are also limits as to how researchers can work. Automated scanning tools are forbidden, as are attacks that could "harm the reliability/integrity" of GitHub's services. Non-technical attacks, such as social engineering and Phishing, are also forbidden; as are attacks what would allow the researcher access to another user's account or data.

Naturally, anyone who doesn't adhere to responsible disclosure practices, and discloses a bug before it is fixed is going to be disqualified.

On the other hand, GitHub has rules of their own to follow, including processing submissions as quickly as possible (often within 24-hours); maintain clear and open lines of communication in order to keep the researcher updated on the status of a given fix, and the promise that they "will not take legal action against you if you play by the rules."

Additional details are available on the GitHub bounty page.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.