Nine years of the GitHub Security Bug Bounty program
It was another record year for our Security Bug Bounty program! We’re excited to highlight some achievements we’ve made together with the bounty community in 2022!
It was another record year for our Security Bug Bounty program! We’re excited to highlight some achievements we’ve made together with the bounty community in 2022!
The ninth year of GitHub’s Security Bug Bounty Program saw our program reach new heights. We’re very excited to provide a look into the amazing accomplishments we made in 2022 and share a sneak peek into what is to come in our tenth year!
In our eighth year blog post, we laid out our goals for this past year: hosting a live hacking event with HackerOne, increasing our private bounty engagements, and creating new non-monetary incentives for our hacker community. On top of accomplishing these goals, we surpassed the $3,000,000 mark in total payments and grew our internal bug bounty team. We say this often, but it remains true: security is core to GitHub’s mission, and we believe the foundation of a successful security bug bounty program is partnership with talented security researchers.
2022 highlights
Here are some highlights from February 2022 to February 2023:
- Awarded $1,576,364 in bounties for 364 vulnerabilities, bringing us to $3,839,287 in total rewards via HackerOne since 2016.
- Received 2,042 submissions across our public and private programs, with June 2022 becoming our new record month with 294 submissions as part of our Live Hacking Event H1-512.
- Hosted a Live Hacking Event with HackerOne H1-512.
- Shipped a new swag store with VIP swag!
- Matched over $18,000 in bounty donations from researchers, totaling $37,234 donations to various charities (learn more about our donation program as part of our program policy).
- Grew contributors to our program by 21% and saw a 58% increase in first‐time reports!
H1-512
We hosted a Live Hacking Event, H1-512, with HackerOne in Austin June 6-17, 2022. During this two-week event, 45 in-person and remote participants from 19 different countries were invited to focus on finding security vulnerabilities across GitHub, with a special focus on GitHub Copilot, Codespaces, and the recently improved GitHub code search. As with many of our internal VIP bounty targets and events, our bounty rewards were all increased during this event, and additional bonuses were offered for exceptional reports and key areas of focus.
Researchers submitted a total of 182 reports, of which 94 (52%) were valid. With the increased bounty rewards and bonuses, our bounty awards for the event totaled an impressive $696,000. This included $137,975 of awards that the researchers elected to donate to nonprofits and were matched by GitHub.
We’d like to call out our Most Valuable Hacker, Alex Chapman (@ajxchapman), for his extraordinary findings during this event.
H1-512 was a fantastic opportunity for our team to experience the excitement and passion of our hackers in person. This event enabled us to break down the barriers of the screen and to make meaningful connections. Whether it was listening to the show and tell presentations, cheering on the funniest memes created over the 12 days, or answering questions live and in person, we took each chance we could to ensure our community of hackers felt connected to our team and appreciated for the work they do.
Swag store
We have continued exploring opportunities to expand both our monetary and non-monetary rewards. After compiling feedback from our community and many discussions, we found that the greatest demand was everyone’s favorite—SWAG.
We learned that hackers want more opportunities to show off their participation in our bug bounty program and partnership with GitHub. So, we put our creative hats on to design some exciting items, and earlier this year we launched the GitHub Bug bounty swag store! Now, every submission is eligible to not only receive a bounty but also a potential swag bonus.
Limited disclosure
One of the exciting parts of finding a bug is being able to share those details with your peers and we understand that this is very much part of the hacker experience. To create a mutually beneficial partnership around disclosure, this year we started limited disclosure of reports that receive a CVE (Common Vulnerabilities and Exposures) in GitHub Enterprise Server (GHES) and open source projects. As we continue to expand our capabilities as a team, we aim to disclose more reports through the HackerOne platform.
Researcher highlight
In October 2022, we brought back researcher spotlight(s) to celebrate Cybersecurity Awareness Month. Reputation in the bounty community is extremely important and these interviews provide a high form of recognition. Our interview questions focus on the highlighted researcher’s journey into bounty hunting, their thought process, and what they’ll share of their methodologies. This year we spotlighted @ahacker1, who has been an active participant in our program and has had many good finds over their years of participation in our program.
Thank you!
We continue to be amazed by the immense talent and creativity in our hacker community, and look forward to the continued growth of our program and its participants.
We encourage researchers of all levels to submit reports to our bug bounty program. Your submissions are greatly valued and impactful to ensuring the safety and security of our products, our users, and the community. For more details regarding the program’s scope, rules, and rewards please visit our website.
Next year, we celebrate our 10-year anniversary. This is a huge milestone for us, and we’re seeking opportunities to keep upleveling our program for the community. Things on deck for this year fall into the categories of increasing our transparency in communication and rewards, continued focus on growing our public and private programs, and expanding the team’s presence within the community.
Thank you, again, to all of the hackers who have participated in our bounty program. Happy hacking!
Tags:
Written by
Related posts
From object transition to RCE in the Chrome renderer
In this post, I’ll exploit CVE-2024-5830, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
Configure GitHub Artifact Attestations for secure cloud-native delivery
Introducing the generally available capability of GitHub Artifact Attestations to secure your cloud-native supply chain packages and images.
3 ways to get Remote Code Execution in Kafka UI
In this blog post, we’ll explain how we discovered three critical vulnerabilities in Kafka UI and how they can be exploited.