GitHub bug bounties: payouts surge past $1.5 million mark

GitHub says that 2020 was the “busiest year yet” in vulnerability disclosure.
Written by Charlie Osborne, Contributing Writer

Over half a million dollars has been issued as rewards for researchers participating in GitHub's bug bounty program over the past year, bringing total payouts to over $1.5 million. 

The Microsoft-owned vendor has operated the GitHub Security Bug Bounty Program for seven years. 

Bug bounty programs are now a common way for vendors to elicit help from third-party researchers in securing products and services. Years past, it was sometimes difficult to privately disclose bugs and many companies did not have a dedicated contact or portal for vulnerability reports -- but now, both credit and financial rewards are often on offer. 

The vendor says that 2020 "was the busiest year yet" for GitHub's program.

"From February 2020 to February 2021, we handled a higher volume of submissions than any previous year," GitHub says. 

In total, 1,066 bug reports were submitted across GitHub's public and private program -- the latter of which is focused on beta and pre-release products -- over the year, and $524,250 was awarded for 203 vulnerabilities. Since 2016, the time when GitHub launched its public program on HackerOne, rewards have now reached $1,552,004.

The scope of GitHub's program includes numerous GitHub-owned domains and targets such as the GitHub API, Actions, Pages, and Gist. Critical issues, including code execution, SQL attacks, and login bypass tactics, can earn researchers up to $30,000 per report. 

GitHub also operates under the Safe Harbor principle, in which bug bounty hunters who adhere to responsible disclosure policies are protected from any potential legal ramifications of their research. 

The company says that over the past year, a universal open redirect submission has become its "favorite" bug. William Bowling was able to develop an exploit that leveraged request handlers to trigger an open redirect and also compromise Gist user OAuth flows. 

The report earned Bowling a $10,000 reward. 

GitHub also became a CVE Number Authority (CNA) in 2020 and has begun issuing CVEs for vulnerabilities in GitHub Enterprise Server. 

In related GitHub news, earlier this month the organization updated its policies on sharing software and code which can not only be used to conduct security research but also could be adopted by attackers. 

GitHub updated its terms to strip out "overly broad" language used to describe "dual-use" software, including tools such as Mimikatz, to "explicitly permit" sharing and remove the risk of any accusation of hostility toward genuine threat and cybersecurity research. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards