Five years of the GitHub Bug Bounty program

Read about some big changes for the coming year: full legal protection for researchers, more GitHub properties eligible for rewards, and increased reward amounts.

Phil Turnbull
8 min readintermediate
--
View Original

Overview

The article discusses the achievements and developments of GitHub's Bug Bounty program over five years, highlighting significant payouts to researchers and improvements in the program's structure. It introduces new initiatives for 2019, including legal protections for researchers, expanded scope for eligible vulnerabilities, and increased reward amounts.

What You'll Learn

1

How to participate in GitHub's Bug Bounty program effectively

2

Why legal protections for researchers are crucial in bug bounty programs

3

When to report vulnerabilities for maximum reward potential

4

How to navigate the expanded scope of eligible vulnerabilities in GitHub's services

5

How to leverage increased reward amounts for critical vulnerabilities

Key Questions Answered

What are the key highlights of GitHub's Bug Bounty program in 2018?
In 2018, GitHub paid out $250,000 to researchers, including $165,000 from the public bug bounty program. Highlights included a researcher grant for API authorization logic, participation in the H1-702 live-hacking event, and the launch of a private bug bounty program for GitHub Actions.
What changes were made to the Bug Bounty program for 2019?
For 2019, GitHub introduced legal safe harbor protections for researchers, expanded the scope of eligible vulnerabilities to include all first-party services, and increased reward amounts for various severity levels, with critical vulnerabilities now having no maximum reward.
How does GitHub ensure timely responses to bug submissions?
GitHub has improved its bug bounty workflow, reducing the average time to triage submissions from four days to 19 hours and the average time to resolution from 16 days to six days. They also maintain an average response time of less than 24 hours to researchers.
What are the new reward amounts for vulnerabilities in GitHub's Bug Bounty program?
The new reward amounts for vulnerabilities are as follows: Critical: $20,000–$30,000+, High: $10,000–$20,000, Medium: $4,000–$10,000, Low: $617–$2,000. There is no maximum reward for critical vulnerabilities, allowing for potentially higher payouts.

Key Statistics & Figures

Total payout to researchers in 2018
$250,000
This amount includes $165,000 from the public bug bounty program.
Average time to triage submissions
19 hours
This is a significant improvement from four days in 2017.
Average time to resolution
6 days
This has been reduced from 16 days in 2017.
Average time for rewarding a submission
11 days
This is down from 17 days in 2017.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Engaging with GitHub's Bug Bounty program can significantly enhance your security research skills.
By participating, you not only contribute to improving GitHub's security but also gain experience in identifying and reporting vulnerabilities, which is valuable in the cybersecurity field.
2
Understanding the legal safe harbor terms can protect you while conducting security research.
These terms provide clarity on what is permissible during research, reducing the risk of legal repercussions and encouraging more researchers to participate.
3
Take advantage of the expanded scope of eligible services to maximize your potential rewards.
With the inclusion of more GitHub services, researchers have greater opportunities to find and report vulnerabilities, increasing the chances of earning rewards.

Common Pitfalls

1
Failing to understand the scope of the Bug Bounty program can lead to missed opportunities.
Researchers may overlook eligible services or vulnerabilities, which can limit their potential rewards. Familiarizing oneself with the expanded scope is essential for maximizing participation.

Related Concepts

Bug Bounty Programs
Legal Safe Harbor In Security Research
Vulnerability Reporting Best Practices