GitHub’s VIP Bug Bounty Program has been updated to include a clear and accessible criteria for receiving an invitation to the program and more. Learn more about the program and how you can become a Hacktocat, and join our community of researchers who are contributing to GitHub’s security with fun perks and access to staff and beta features!
GitHub’s bug bounty team has had an exciting start to the year. We launched our very own swag store, allowing researchers to earn exclusive bug bounty branded swag as a bonus perk to their earned bounty reward, and held two private beta feature engagements, which brought us great findings by our VIP researchers!
The addition of the swag store came from many conversations and feedback on how we can continue to improve our bug bounty program.In these conversations, we also were inspired to revamp our VIP program, a private program that has been operating for five years, where we privately invite researchers to gain exclusive access based on their contributions in securing GitHub. This revamp includes establishing clearer and more accessible criteria for receiving an invite to join the VIP program as a Hacktocat, more access to beta features, exclusive VIP-only swag, access to engineering and security Hubbers, and more! Let’s break it down.
A Hacktocat is someone who has consistently contributed to improving the security of GitHub through high-impact, credible reports via our bug bounty program. To receive an invite, a researcher must have:
Researchers who meet the above criteria unlock an invitation to work directly with GitHub staff, and other researchers, increasing the learning opportunity for more familiarity and understanding across our range of products and features. Specifically, our Hacktocats within the VIP program have direct access to:
Our partnership with talented security researchers from across the community is pivotal in running a successful bug bounty program, so we thank all who continue to support and participate in our program. Your submissions are greatly valued and impactful to ensuring the safety and security of our products, our users, and the community, and we are excited to introduce even more incentives.
For more details regarding the program’s scope, rules, and rewards please visit our website! We look forward to seeing more Hacktocats join the program.
We’ve dramatically increased 2FA adoption on GitHub as part of our responsibility to make the software ecosystem more secure. Read on to learn how we secured millions of developers and why we’re urging more organizations to join us in these efforts.
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.
Jeff Guerra 
