Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

GitHub increases its reward payout model for its bug bounty program  

Save for later
  • 2 min read
  • 20 Feb 2019

article-image

GitHub announced yesterday that it is expanding its bug bounty program by adding some more services into the list, and also increasing the reward amount offers for the vulnerability seekers. It has also added some Legal Safe Harbor terms to its updated policy.

All products and services under the github.com domain including GitHub Education, Enterprise Cloud, Learning Lab, Jobs, the Desktop application, githubapp.com, and github.net are a part of this bug bounty list. Launched in 2014, GitHub’s Security Bug Bounty program paid out $165,000 to researchers from their public bug bounty program in 2018. GitHub’s researcher grants, private bug bounty programs, and a live-hacking event helped GitHub reach a huge milestone of $250,000 paid out to researchers last year.

GitHub’s new Legal Safe Harbor terms cover three main sources of legal risk including:

  • Protect user’s research activity and authorize if they cross the line for the purpose of research
  • Protect researchers in the bug bounty program from legal exposure via third-parties. Unless GitHub gets user-written permission, they will not share identifying information with a third party
  • Prevent researchers in the bug bounty program from being hit with any site violations when they’ve broken the rules in the spirit of research


According to the GitHub blog post, “You won’t be violating our site terms if it’s specifically for bounty research. For example, if your in-scope research includes reverse engineering, you can safely disregard the GitHub Enterprise Agreement’s restrictions on reverse engineering. Our safe harbor now provides a limited waiver for parts of other site terms and policies to protect researchers from legal risk from DMCA anti-circumvention rules or other contract terms that could otherwise prohibit things a researcher might need to do, like reverse engineering or de-obfuscating code.”

As for the reward schedule, GitHub says they have increased the reward amounts at all levels:

  • Critical: $20,000–$30,000+
  • Unlock access to the largest independent learning library in Tech for FREE!
    Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
    Renews at ₹800/month. Cancel anytime
  • High: $10,000–$20,000
  • Medium: $4,000–$10,000
  • Low: $617–$2,000


“We no longer have a maximum reward amount for critical vulnerabilities. Although we’ve listed $30,000 as a guideline amount for critical vulnerabilities, we’re reserving the right to reward significantly more for truly cutting-edge research”, the GitHub blog states.

Switzerland launches a bug bounty program ‘Public Intrusion test’ to find vulnerabilities in its E-Voting systems

Hyatt Hotels launches public bug bounty program with HackerOne

EU to sponsor bug bounty programs for 14 open source projects from January 2019