GitHub build out its bug bounty programme and increases reward for spotted flaws

GitHub code on a dark background
(Image credit: Shutterstock)

GitHub is to build up its bug bounty programme, with plans to remove maximum award limits and increase the extent of what its program covers.

The programme has been running five years with the organisation paying out $165,000 to researchers through the public bug bounty program. In total, it has paid out $250,000 to security researchers in 2018 through its programme, research grants, private bug bounty programs, and a live-hacking event

In a blog post, GitHub's Philip Turnbull said that his company would increase reward amounts at all levels. The new rewards are: Critical: $20,000 $30,000+, High: $10,000 $20,000, Medium: $4,000 $10,000, and Low: $617 $2,000.

"Although we've listed $30,000 as a guideline amount for critical vulnerabilities, we're reserving the right to reward significantly more for truly cutting-edge research," said Turnbull. He added that finding higher-severity vulnerabilities in GitHub's products is becoming increasingly difficult for researchers and they should be rewarded for their efforts.

He also said the GitHub would expand the scope of the program to reward vulnerabilities in all first-party services hosted under its github.com domain. his includes GitHub Education, GitHub Learning Lab, GitHub Jobs, and our GitHub Desktop application.

"It's not just about our user-facing systems. The security of our users' data also depends on the security of our employees and our internal systems. That's why we're also including all first-party services under our employee-facing githubapp.com and github.net domains," said Turnbull.

GitHub has also added a set of Legal Safe Harbor terms to its site policy based on CC0-licensed templates. This addresses three potential areas of risk and extends protections and authorisations if researchers accidentally overstep the bounty program's scope.

"Our safe harbor now includes a firm commitment not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants' bounty program research activities. You remain protected even for good faith violations of the bounty policy," said Turnbull.

There is also a commitment to protect researchers against legal risk from third parties who won't commit to the same level of safe harbor protections.

"We will share only non-identifying information with third parties, and only after notifying you and getting that third party's written commitment not to pursue legal action against you. Unless we get your written permission, we will not share identifying information with a third party," said Turnbull.

Lastly, GitHub's safe harbour now provides a limited waiver for relevant parts of its site terms and policies, and Turnbull noted: "This protects against legal risk from DMCA anti-circumvention rules or similar contract terms that could otherwise prohibit necessary research tasks like reverse engineering or deobfuscating code."

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.