It was another record year for our Security Bug Bounty program. We're excited to highlight some achievements we’ve made together with the bounty community from 2021!
GitHub celebrated yet another record breaking year for our Security Bug Bounty Program in 2021! We’re excited to announce that we recently passed $2,000,000 in total payments to researchers, just two years after we crossed the $1,000,000 mark in 2019. Within the last year, we have paid out over $800,000 in total bounty rewards across our programs. We believe the foundation of a successful security bug bounty program is the partnership with talented security researchers from across the community, so we thank all who have participated in our bounty program this past year and years prior.
Security is core to GitHub’s mission and last year we announced a new internal team dedicated to the execution and growth of our bug bounty program. The welcoming of this team, focused on community engagement, operation, and growth of our program, to our Product Security Engineering organization has been integral to the continued growth and maturity of our bounty program. In this post, we’re happy to share with you some of the incredible achievements we’ve made together with the bounty community from this past year.
As we look ahead to the rest of 2022, we’re also excited to share that we’ll be hosting a live hacking event with HackerOne in June 2022. More details on that below.
In just ten short months since creating our dedicated internal bug bounty team, we quickly surpassed our 2021 records. Here are some important highlights from February 2021 to February 2022:
The submissions to our bounty program continue to impress us. Here’s a closer look at one of the most interesting submissions we received in 2021.
On July 2, 2021, we received a report about a path traversal vulnerability in GitHub Enterprise Server (GHES).
The reported path traversal vulnerability in GHES occurred when building a GitHub Pages site. GitHub Pages allow users to personalize their site with a range of configuration options. These user-controlled configuration options were not sufficiently restricted and allowed an attacker to leverage path traversal to read files on the GHES instance. To exploit this vulnerability, the attacker would need permission to create and build a GitHub Pages site on the GHES instance.
We fixed the issue and assigned CVE-2021-22867 and CVE-2021-22868. CVE-2021-22868 was issued after a bypass of the fix for CVE-2021-22867 was found that still allowed path traversal using a different payload.
The vulnerability affected all versions of GitHub Enterprise Server prior to 3.1.8 and was fixed in 3.1.8, 3.0.16, and 2.22.22.
Researcher, yvvdwf, not only reported a fantastic initial find, but assisted in testing the fix when it was available. This testing and variant analysis also led us to discover a bypass of our initial fix. Ultimately, the discovery allowed us to further secure our product. For their continued effort, we awarded a bonus to yvvdwf for helping us test and another bounty for their additional finding.
As we expand and grow our products and services at GitHub, we also continue to add new areas of focus to our bounty scope. For example, this year we added npm to our scope after introducing the product to the program via a private bounty. We were grateful for the success of the program, which led to the discovery of three critical vulnerabilities, and will continue to invest in private bounties with targeted focus areas as part of our overall security investments.
Additionally, we will continue to identify new ways to incentivize researchers in our program. In addition to monetary rewards, we are also focusing on introducing more non-monetary rewards to recognize reports that do not meet our criteria for payment. We understand there are more ways to reward researchers, and by creating different rewards for different researcher motivations, such as money or recognition, we can continue to better foster relationships with our researchers and provide recognition for their work.
And one last thing: we are excited to announce that we will be hosting a live hacking event in June 2022 with HackerOne. We find immense value in spending time with our community, and we are excited to host our first GitHub-focused event. We have partnered with HackerOne over the last few months to plan an exciting return to events that support both in-person and remote participation. While the event has limited access, we encourage you to visit https://www.hackerone.com/live-hacking-events for information about how to be invited to future live hacking events.
As we look ahead to the ninth year of GitHub’s bug bounty program, we plan to continue to make improvements to our program to ensure we provide the best experience for our researchers and engineers. In 2023, you can anticipate improvements in response times, participation in our community of hackers, and continued review and competitive rewards for our researchers.
It has truly been an exciting year for our team! We have some impressive plans for the next year of our program, and we look forward to interacting with our participants and reviewing their submissions.
We encourage researchers of all levels to submit reports to our bug bounty program. Your submissions are greatly valued and impactful to ensuring the safety and security of our products, our users, and the community. For more details regarding the program’s scope, rules, and rewards please visit our website.
Thank you, again, to all the hackers who have participated in the program. Happy hacking!
We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.
Jill Moné-Corallo 
