GitHub Expands Bug Bounty Program Scope & Increases Payouts

GitHub is adding more of its own services to its bug bounty program, and increasing the payout amounts it offers to those who find vulnerabilities.

The expansion relates to products and services GitHub hosts under its own github.com domain, including GitHub Education, Enterprise Cloud, Learning Lab, Jobs, and the Desktop application. Employees can also take advantage of these new additions; the company has added its internally-focused githubapp.com and github.net domains to the bug bounty list.

All bug bounty programs have a scope, but GitHub is adding an expanded set of terms to its Legal Safe Harbor to protect those who inadvertently overstep their bounds. The new language focuses on three key areas: keeping research protected and authorized when you cross the line for the purpose of your research; protecting researchers in the bug bounty program from legal exposure via third-parties; and preventing researchers in the bug bounty program from being hit with any site violations when they’ve broken the rules in the spirit of research.

In lay-terms, this means GitHub won’t sue you if, when researching a bug, you violate its terms of service elsewhere. Any “good faith violations” of its existing rules will be forgiven, and GitHub won’t support any legal action taken by others. If your research finds violations that affect others, which may expose you to legal risk, GitHub will keep you anonymous unless you’ve explicitly chosen not to be in that instance.

An example: Let’s say a company has some hard and fast rules of their own about accessing its code, which could land you in a courtroom. If that company were hosting said code on GitHub, and you discovered a bug that allowed you to access any private repo you liked, GitHub would notify the company without naming you. And if the company found out it was you via other methods and decided to sue you, GitHub would not support or participate in that lawsuit.

This extends throughout GitHub as well. From its blog post:

You won’t be violating our site terms if it’s specifically for bounty research. For example, if your in-scope research includes reverse engineering, you can safely disregard the GitHub Enterprise Agreement’s restrictions on reverse engineering. Our safe harbor now provides a limited waiver for parts of other site terms and policies to protect researchers from legal risk from DMCA anti-circumvention rules or other contract terms that could otherwise prohibit things a researcher might need to do, like reverse engineering or de-obfuscating code.

As for its expanded payout schedule, here it is:

  • Low: $617-$2,000
  • Medium: $4,000 -$10,000
  • High: $10,000-$20,000
  • Critical: $20,000-$30,000+

That little ‘plus’ for critical bugs is purposeful; GitHub acknowledges “finding higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers and they should be rewarded for their efforts.” In light of that, some of the more critical bugs may require payouts beyond $30,000. We’re more curious why there’s a $2,000 gap between the low and medium-level bugs (GitHub tells Dice the gap is “recognition” for finding more severe bugs), and why the program starts at $617.

The expanded bug bounty program comes at an interesting time for GitHub. Post Microsoft acquisition, it spun up a new ‘Actions’ service that allows you to string together several automations to perform routine functions. It also acquired Spectrum, a chat service we expect it will weave into the service proper at some point so developers can chat with one another.

It also expanded its service to allow for unlimited private repos on its free tier, and raised how many collaborators you can have for those projects. All told, these moves expand GitHub’s reach, as well as its potential vulnerabilities, so the new bug bounty program with increased payouts arrives at a potentially lucrative time for security researchers and hackers.