GitHub bug bounty payouts surpass $1.5m
The Microsoft-owned company's bounty programme, which launched on HackerOne in 2016, awarded more than $500,000 in the last 12 months
28 June 2021 | 0
GitHub awarded $524,250 (€439,812) in bug bounties in the last year, bringing total payouts from the five-year-old programme to $1,552,004.
The company said that 2020 was the programme’s “busiest year yet”, and from February 2020 to 2021, it handled a higher volume of submissions than any previous year. The over half a million in bounties was awarded for 203 vulnerabilities in its products and services.
In total, 1,066 submissions were made to the programme, which was launched in 2016 on HackerOne. The Microsoft-owned company’s response time improved by four hours from 2019 to an average of 13 hours to first response.
Furthermore, submissions were validated and triaged internally to partner teams within 24 hours on average, while bounties were paid out 24 days after the submission of an eligible report.
One of the “most interesting” submissions GitHub received in 2020 was an open redirect vulnerability discovered by William Bowling which was awarded $10,000. The vulnerability on GitHub.com could be used to compromise the OAuth flow of Gist users.
Moreover, GitHub also became a CVE Number Authority (CNA) in 2020 where it began issuing CVEs for vulnerabilities in GitHub Enterprise Server. “Being a CNA allows us to clearly and consistently communicate to customers the issues that are fixed in our products, allowing customers to properly identify outdated GitHub Enterprise Server instances and prioritise upgrades,” stated the company.
At the start of June, GitHub updated its policies to reduce the potential for hackers to abuse the platform, including blocking any code used in ongoing attacks. The change explicitly allowed dual-use security technologies and content related to security research to remain on the platform but will take action against projects that may lead to causing harm to others. GitHub users are prohibited from uploading or sharing any content through the platform which can deliver malicious files, or from manipulating it to serve as a command & control infrastructure.
© Dennis Publishing
Professional Development for IT professionals
The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more