GitHub bug bounty: Microsoft ramps up payouts to $30,000-plus

GitHub revamps its bug bounty with higher rewards and legal safe-harbor terms for researchers.

How GitHub became the de facto automated supply chain for software GitHub is an example of a web service that absorbs the function of an entire industry's supply chain, but it took a few versions for it to become the software we now know and use.

Microsoft-owned code-hosting site GitHub has removed the cap on its top payout under its bug bounty and made the program less legally risky for researchers.

GitHub is giving its five-year-old security bug bounty a refresh with higher rewards, more products in scope for rewards, and new legal protections for hackers.

The company has removed the limit on the maximum it will pay researchers for finding critical bugs. In general, researchers could expect between $20,000 and $30,000 for critical bugs, but GitHub says it will reward "significantly more for truly cutting-edge research". 

It's also raising rewards at lesser levels. High-severity bugs will offer rewards between $10,000 to $20,000, medium-severity rewards range between $4,000 and $10,000, while low-severity rewards are between $617 to $2,000. 

"We regularly assess our reward amounts against our industry peers. We also recognize that finding higher-severity vulnerabilities in GitHub's products is becoming increasingly difficult for researchers and they should be rewarded for their efforts. That's why we've increased our reward amounts at all levels," said GitHub's Phil Turnbull. 

Now all first-party services hosted under the GitHub.com domain are in scope for rewards, including GitHub Education, GitHub Leaning Lab, GitHub Jobs, and the GitHub Desktop application. GitHub's Enterprise Cloud is now also included in the program, as are its employee-facing sites, githubapp.co and github.net domains.  

Finally, GitHub wanted to remove some of the legal risks that its bug-bounty program exposed researchers to if they violated the site terms in the name of security research. To address this issue, GitHub has added a new set of Legal Safe Harbor terms to its site policy with clearly stated protections. 

SEE: 10 tips for new cybersecurity pros (free PDF)

With the new Legal Safe Harbor, researchers are shielded from violating GitHub's site terms if their actions are specifically for bug-bounty research. Researchers can now safely disregard GitHub's Enterprise Agreement restrictions on reverse-engineering. 

GitHub also vows not to sue researchers if they accidentally overstep the bounty's scope, and to protect researchers from third parties who don't offer the same level of safe-harbor protections.  

"To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good-faith violations of this policy," GitHub's safe-harbor terms read. 

"We consider security research and vulnerability disclosure activities conducted consistent with this policy to be 'authorized' conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug-bounty program's scope."

Previous and related coverage

Microsoft is going all-in on 'Inner Source'

Microsoft is staffing up an internal Inner Source initiative to bring open-source principles, methodologies and tools for use by development teams inside the company.

GitHub to give users of its free plan access to unlimited private repositories

Microsoft is making GitHub's private repositories free to smaller developers and teams, which could help Microsoft go head-to-head with GitLab and BitBucket.

Microsoft's GitHub: Requests for user data double in 2018, but gag orders grow faster

GitHub in most cases is legally prevented from informing users when it provides information to law enforcement.

GitHub to give users of its free plan access to unlimited private repositories

Microsoft is making GitHub's private repositories free to smaller developers and teams, which could help Microsoft go head-to-head with GitLab and BitBucket.

Microsoft's GitHub: 'Kotlin for Android now fastest-growing programming language'

The number of developers hosting projects built with Google-backed Kotlin is surging.

Microsoft finalizes its $7.5 billion GitHub acquisition

Microsoft's acquisition of GitHub has passed regulatory approval and is now official.

Microsoft open sources MS-DOS again, this time on GitHub

Microsoft has made the MS-DOS 1.25 and 2.0 source code available on GitHub for reference purposes only.

The 3 next big programming languages: GitHub's rising stars for 2018 TechRepublic

These are the languages with the largest growth in contributors to code repositories over the past year.

Google exec says it's OK Microsoft nabbed GitHub CNET

Countless programmers use GitHub to cooperate on projects. Google's cloud chief says she wouldn't have minded being the buyer.