GitHub announced yesterday that it is expanding its bug bounty program by adding some more services into the list, and also increasing the reward amount offers for the vulnerability seekers. It has also added some Legal Safe Harbor terms to its updated policy.
All products and services under the github.com domain including GitHub Education, Enterprise Cloud, Learning Lab, Jobs, the Desktop application, githubapp.com, and github.net are a part of this bug bounty list. Launched in 2014, GitHub’s Security Bug Bounty program paid out $165,000 to researchers from their public bug bounty program in 2018. GitHub’s researcher grants, private bug bounty programs, and a live-hacking event helped GitHub reach a huge milestone of $250,000 paid out to researchers last year.
GitHub’s new Legal Safe Harbor terms cover three main sources of legal risk including:
- Protect user’s research activity and authorize if they cross the line for the purpose of research
- Protect researchers in the bug bounty program from legal exposure via third-parties. Unless GitHub gets user-written permission, they will not share identifying information with a third party
- Prevent researchers in the bug bounty program from being hit with any site violations when they’ve broken the rules in the spirit of research
According to the GitHub blog post, “You won’t be violating our site terms if it’s specifically for bounty research. For example, if your in-scope research includes reverse engineering, you can safely disregard the GitHub Enterprise Agreement’s restrictions on reverse engineering. Our safe harbor now provides a limited waiver for parts of other site terms and policies to protect researchers from legal risk from DMCA anti-circumvention rules or other contract terms that could otherwise prohibit things a researcher might need to do, like reverse engineering or de-obfuscating code.”
As for the reward schedule, GitHub says they have increased the reward amounts at all levels:
- Critical: $20,000–$30,000+
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
- High: $10,000–$20,000
- Medium: $4,000–$10,000
- Low: $617–$2,000
“We no longer have a maximum reward amount for critical vulnerabilities. Although we’ve listed $30,000 as a guideline amount for critical vulnerabilities, we’re reserving the right to reward significantly more for truly cutting-edge research”, the GitHub blog states.
Switzerland launches a bug bounty program ‘Public Intrusion test’ to find vulnerabilities in its E-Voting systems
Hyatt Hotels launches public bug bounty program with HackerOne
EU to sponsor bug bounty programs for 14 open source projects from January 2019
Germany
Slovakia
Canada
Brazil
Singapore
Hungary
Philippines
Mexico
Thailand
Ukraine
Luxembourg
Estonia
Lithuania
Norway
Chile
United States
Great Britain
India
Spain
South Korea
Ecuador
Colombia
Taiwan
Switzerland
Indonesia
Cyprus
Denmark
Finland
Poland
Malta
Czechia
New Zealand
Austria
Turkey
France
Sweden
Italy
Egypt
Belgium
Portugal
Slovenia
Ireland
Romania
Greece
Argentina
Malaysia
South Africa
Netherlands
Bulgaria
Latvia
Australia
Japan
Russia
