GitHub widens the scope of its bug bounty program and increases rewards
Now in its fifth year, the GitHub Security Bug Bounty has been updated to offer larger rewards to those who find bugs. At the same time, the scope of the program is being expanded and protections for researchers have been added through new Legal Safe Harbor terms.
As well as expanding the program to cover any of its "first-party services", GitHub has effectively removed any upper limit on the size of reward pay-outs for critical bugs.
- Microsoft now lets everyone create unlimited private GitHub repositories for free
- Apple apologizes for privacy-invading FaceTime bug, promises delayed software update
- Europe to fund bug bounties for 15 open source programs, including VLC, Drupal and Notepad++
GitHub says that low severity issues could earn rewards of $617 - $2,000, while the pay-out for medium severity issues could be $4,000 - $10,000. High severity bugs could earn $10,000 - $20,000, and those that are deemed critical have awards of $20,000 - $30,000+ attached.
Announcing the updated banding, GitHub says:
The upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.
A wider range of services that fall under the GitHub umbrella are now covered by the program, including GitHub Education, GitHub Learning Lab, GitHub Jobs and GitHub Enterprise Cloud.
Researchers can now feel reassured that their work is covered by the GitHub Bug Bounty Program Legal Safe Harbor policy
- We consider security research and vulnerability disclosure activities conducted consistent with this policy as "authorized" conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.
- We want you to responsibly disclose through our bug bounty program, and don’t want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.
- Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.
- If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.
Full details of the bug bounty program can be found on the GitHub Security site.