Skip to content


bug bounty

Rotating credentials for and new GHES patches

GitHub received a bug bounty report of a vulnerability that allowed access to the environment variables of a production container. We have patched and rotated all affected credentials. If you have hardcoded or cached a public key owned by GitHub, read on to ensure your systems continue working with the new keys.

Jacob DePriest
Bug bounty graphic

GitHub’s revamped VIP Bug Bounty Program

GitHub’s VIP Bug Bounty Program has been updated to include a clear and accessible criteria for receiving an invitation to the program and more. Learn more about the program and how you can become a Hacktocat, and join our community of researchers who are contributing to GitHub’s security with fun perks and access to staff and beta features!

Jeff Guerra