As the home to more than 90 million developers, GitHub is heavily invested in ensuring that the code developers build and use daily is trusted and secure. Our bug bounty team is continually focused on driving improvements as to how GitHub develops secure software, to enable developers on our platform to innovate more confidently than ever before.
Since its launch in 2014, GitHub’s Bug Bounty program has amplified our ability to ship secure products beyond what we could have achieved without the help of our external security researchers. We have continued to grow and expand our bug bounty program, focusing on engaging with our researchers and the security community. This year, we hosted a Live Hacking event in June that was filled with great bugs, custom swag, and good times connecting with the research community. Additionally, we met up with a few of our researchers at DEF CON 30 to catch up, share insights on our program roadmap, and gather feedback. We’ve also started to share out our monthly program stats at @githubsecurity to give the security community an insight on our program!
To wrap up Cybersecurity Awareness Month this October, we’re interviewing one of our researchers to learn more about their experiences hacking GitHub. ahacker1 specializes in IDOR and other forms of improper access controls and has found some very interesting and complex issues throughout their research!
How did you get involved with bug bounty? What has kept you coming back to it?
I began by finding and reporting bugs (non-security issues) in an application that I frequently used. Then, I found out about the application’s bug bounty program and decided to try getting a bounty.
It feels great to find a vulnerability, and I love the sense of achievement. Additionally, I love the creativity involved in finding vulnerabilities, and I’m also motivated by the huge bounties.
How do you keep up with and learn about vulnerability trends? Are there any specific accounts or blogs you’d recommend?
I browse Twitter frequently and read many security blogs.
I recommend reading blogs from https://portswigger.net/research/james-kettle—they are very detailed.
What are your favorite classes of bugs to research and why?
My favorite vulnerability class to research is improper access control vulnerabilities because it often requires some degree of creativity and thinking outside the box to find one on GitHub.
You’ve found some complex and significant bugs in your work. Can you talk a bit about your process?
I usually start by focusing on one or two GitHub products/features at a time and attempt to gain a comprehensive understanding of the product. This allows me to think of numerous possible (clever) ways a bug could exist in the feature, which I then test.
You participated in our live hacking event (H1-512) earlier this year. Can you talk a bit about your experience with the event?
Overall, the experience was awesome. I loved being able to collaborate and communicate with other hackers. Additionally, I enjoyed the increased bounties and competition.
Do you have any advice or recommended resources for researchers looking to get involved with bug bounty?
I would suggest reading a lot of bug bounty writeups to learn more about each vulnerability class. Moreover, it’s also important to learn how the hunter approached hunting the target when reading the write-up.
I also think that when trying to find your first vulnerability, it is important to be persistent on the target.
Do you have any social media platforms you’d like to share with our readers?
My Discord is ahacker1#3814.
Thank you, ahacker1, for participating in GitHub’s bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So, if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.
Interested in helping us secure GitHub products and services? Check out our open roles at https://github.com/about/careers!