GitHub Expands Bug Bounty Program And Removes Max Payout Limit
On the fifth anniversary of GitHub Security Bug Bounty Program, the code repository platform is expanding its program by increasing its scope and the rewards offered under in it.
GitHub has announced that the program will now apply to all first-party services hosted under the github.com domain which includes GitHub Education, GitHub LearningLab, GitHub Desktop, and GitHub Jobs.
Additionally, the company has expanded its program to Enterprise Cloud and to all first-party services under the employee-facing githubapp.com and github.net domains.
Github has also increased the reward amount as spotting security flaws in GitHub products “is becoming increasingly difficult for researchers, and they should be rewarded for their efforts,” according to the company.
The revised amount of GitHub Security Bug Bounty Program is as follows:
- Critical: $20,000 – $30,000+
- High: $10,000 – $20,000
- Medium: $4,000 – $10,000
- Low: $617 – $2,000
The plus sign against the rewards for uncovering critical vulnerabilities suggests that there is no maximum capping and if a security analyst manages to find an extremely critical bug, he/she can be rewarded with more than $30,000.
Legal Safe Harbor terms have also been added to the program’s policy for legal protection of bug hunters.
Github launched its bug bounty program in 2014. In 2018, Microsoft owned company rewarded $250,000 to the security researchers.
Out of this amount, $165,000 was paid through the public bug bounty program whereas the remaining amount was handed out through research grants, live hacking events and private bounty programs.