GitHub celebrated yet another record breaking year for our Security Bug Bounty Program in 2021! We’re excited to announce that we recently passed $2,000,000 in total payments to researchers, just two years after we crossed the $1,000,000 mark in 2019. Within the last year, we have paid out over $800,000 in total bounty rewards across our programs. We believe the foundation of a successful security bug bounty program is the partnership with talented security researchers from across the community, so we thank all who have participated in our bounty program this past year and years prior.
Security is core to GitHub’s mission and last year we announced a new internal team dedicated to the execution and growth of our bug bounty program. The welcoming of this team, focused on community engagement, operation, and growth of our program, to our Product Security Engineering organization has been integral to the continued growth and maturity of our bounty program. In this post, we’re happy to share with you some of the incredible achievements we’ve made together with the bounty community from this past year.
As we look ahead to the rest of 2022, we’re also excited to share that we’ll be hosting a live hacking event with HackerOne in June 2022. More details on that below.
In just ten short months since creating our dedicated internal bug bounty team, we quickly surpassed our 2021 records. Here are some important highlights from February 2021 to February 2022:
Awarded $803,769 in bounties for 235 vulnerabilities, bringing us to $2,355,773 in total rewards via HackerOne since 2016.
Received 1,363 submissions across our public and private programs, with January 2022 being our most popular month in which we received 149 submissions.
Awarded our highest single bounty of all time of $50,000 in November 2021.
Matched over $64,000 of donations of bounties from researchers, totaling $128,234 donations to various charities (learn more about our donation program here).
Improved our response time by an hour since 2020, bringing our average first response time to 12 hours.
Grew contributors to our program by 21%, and saw an 18% increase in first‐time reports.
Favorite bug of 2021
The submissions to our bounty program continue to impress us. Here’s a closer look at one of the most interesting submissions we received in 2021.
On July 2, 2021, we received a report about a path traversal vulnerability in GitHub Enterprise Server (GHES).
The reported path traversal vulnerability in GHES occurred when building a GitHub Pages site. GitHub Pages allow users to personalize their site with a range of configuration options. These user-controlled configuration options were not sufficiently restricted and allowed an attacker to leverage path traversal to read files on the GHES instance. To exploit this vulnerability, the attacker would need permission to create and build a GitHub Pages site on the GHES instance.
We fixed the issue and assigned CVE-2021-22867 and CVE-2021-22868. CVE-2021-22868 was issued after a bypass of the fix for CVE-2021-22867 was found that still allowed path traversal using a different payload.
The vulnerability affected all versions of GitHub Enterprise Server prior to 3.1.8 and was fixed in 3.1.8, 3.0.16, and 2.22.22.
Researcher, yvvdwf, not only reported a fantastic initial find, but assisted in testing the fix when it was available. This testing and variant analysis also led us to discover a bypass of our initial fix. Ultimately, the discovery allowed us to further secure our product. For their continued effort, we awarded a bonus to yvvdwf for helping us test and another bounty for their additional finding.
As we expand and grow our products and services at GitHub, we also continue to add new areas of focus to our bounty scope. For example, this year we added npm to our scope after introducing the product to the program via a private bounty. We were grateful for the success of the program, which led to the discovery of three critical vulnerabilities, and will continue to invest in private bounties with targeted focus areas as part of our overall security investments.
Additionally, we will continue to identify new ways to incentivize researchers in our program. In addition to monetary rewards, we are also focusing on introducing more non-monetary rewards to recognize reports that do not meet our criteria for payment. We understand there are more ways to reward researchers, and by creating different rewards for different researcher motivations, such as money or recognition, we can continue to better foster relationships with our researchers and provide recognition for their work.
And one last thing: we are excited to announce that we will be hosting a live hacking event in June 2022 with HackerOne. We find immense value in spending time with our community, and we are excited to host our first GitHub-focused event. We have partnered with HackerOne over the last few months to plan an exciting return to events that support both in-person and remote participation. While the event has limited access, we encourage you to visit https://www.hackerone.com/live-hacking-events for information about how to be invited to future live hacking events.
As we look ahead to the ninth year of GitHub’s bug bounty program, we plan to continue to make improvements to our program to ensure we provide the best experience for our researchers and engineers. In 2023, you can anticipate improvements in response times, participation in our community of hackers, and continued review and competitive rewards for our researchers.
It has truly been an exciting year for our team! We have some impressive plans for the next year of our program, and we look forward to interacting with our participants and reviewing their submissions.
We encourage researchers of all levels to submit reports to our bug bounty program. Your submissions are greatly valued and impactful to ensuring the safety and security of our products, our users, and the community. For more details regarding the program’s scope, rules, and rewards please visit our website.
Thank you, again, to all the hackers who have participated in the program. Happy hacking!
In this blog, I’ll look at CVE-2022-46395, a variant of CVE-2022-36449 (Project Zero issue 2327), and use it to gain arbitrary kernel code execution and root privileges from the untrusted app domain on an Android phone that uses the Arm Mali GPU. I’ll also explain how root cause analysis of CVE-2022-36449 led to the discovery of CVE-2022-46395.