The GitHub Bug Bounty Program is turning three years old. To celebrate, we’re offering bigger bounties for the most severe bugs found in January and February.
The process is the same as always: hackers and security researchers find and report vulnerabilities through our responsible disclosure process. To recognize the effort these researchers put forth, we reward them with actual money. Standard bounties range between $500 and $10,000 USD and are determined at our discretion, based on overall severity. In January and February we’re throwing in bonus rewards for standout individual reports in addition to the usual payouts.
In addition to cash prizes, we’ve also made limited edition t-shirts to thank you for helping us hunt down GitHub bugs. We don’t have enough for everyone—just for the 15 submitters with the most severe bugs.
GitHub Enterprise is now included in the bounty program. So go ahead and find some Enterprise bugs. If they’re big enough you’ll be eligible for the promotional bounty. Otherwise, rewards are the same as GitHub.com ($200 to $10,000 USD). For more details, visit our bounty site.
Giving winners some extra cash doesn’t mean anyone has to lose. If you find a bug, you’ll still receive the standard bounties.