Story image

GitHub's Bug Bounty program gets bigger

04 Mar 2019

GitHub’s Bug Bounty program is now five years old and to mark the occasion it has revamped the program’s scope, rewards, and new legal rules.

In 2018 the company paid out US$250,000 to researchers. $75,000 of that came from HackerOne’s H1-702 live hacking event in the US last year, when researchers found 43 vulnerabilities. One of those vulnerabilities was a critical severity vulnerability that was found in GitHub Enterprise Server.

Moving forward to 2019, GitHub is expanding the Bug Bounty program’s scope to include vulnerabilities in all first party services under github.com. Those services include includes GitHub Education, GitHub Learning Lab GitHub Jobs, and our GitHub Desktop application. 

GitHub’s Enterprise Server scope has also expanded to include Enterprise Cloud.

“It’s not just about our user-facing systems. The security of our users’ data also depends on the security of our employees and our internal systems. That’s why we’re also including all first-party services under our employee-facing githubapp.com and github.net domains,” writes GitHub’s Philip Turnbull.

The Bug Bounty’s reward system has also been expanded at all levels, not just the ones at critical severity level. Furthermore, there is now maximum reward amount for a critical vulnerability as GitHub aims to reward more for cutting-edge research.

The new reward system for vulnerabilities is:

  • Critical: $20,000–$30,000+
  • High: $10,000–$20,000
  • Medium: $4,000–$10,000
  • Low: $617–$2,000

“We also recognise that finding higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers and they should be rewarded for their efforts,” says Turnbull.

Finally, GitHub has introduced Legal Safe Harbor terms to its site policy to protect bounty researchers from legal risks.

Turnbull explains the three main sources of legal risk below.

  • Your research activity remains protected and authorised even if you accidentally overstep our bounty program’s scope. Our safe harbor now includes a firm commitment not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants’ bounty program research activities. You remain protected even for good faith violations of the bounty policy.   
  • We will do our best to protect you against legal risk from third parties who won’t commit to the same level of safe harbor protections. Our safe harbor terms now limit report-sharing with third parties in two ways. We will share only non-identifying information with third parties, and only after notifying you and getting that third party’s written commitment not to pursue legal action against you. Unless we get your written permission, we will not share identifying information with a third party.   
  • You won’t be violating our site terms if it’s specifically for bounty research. For example, if your in-scope research includes reverse engineering, you can safely disregard the GitHub Enterprise Agreement’s restrictions on reverse engineering. Our safe harbor now provides a limited waiver for relevant parts of our site terms and policies. This protects against legal risk from DMCA anti-circumvention rules or similar contract terms that could otherwise prohibit necessary research tasks like reverse engineering or deobfuscating code.

Turnbull adds that other organisations are welcome to look to these terms as an industry example of safe harbour best practices.

“We encourage others to freely adopt, use, and modify them to fit their own bounty programs. In creating these terms, we aim to go beyond the current standards for safe harbor programs and provide researchers with the best protection from criminal, civil, and third-party legal risks. The terms have been reviewed by expert security researchers, and are the product of many months of legal research and review of other legal safe harbor programs.”

You only get one chance to make a first impression
Regardless of where you come from one thing is for certain, businesses only get one chance to make a first impression.
Datto expands A/NZ presence with Sydney office
This investment will enable Datto and its partners to continue to grow and address the IT needs of small and medium businesses (SMBs) in the region.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
New Zealand Govt announces cloud framework agreement with SAP
“Data-driven solutions are the most powerful way to solve some of society’s most pressing problems."
What is a kilogram? Lower Hutt holds its own weight on a global scale
Forget the old ways of measuring a kilogram – quantum physics is going to be the driver of massive change in the way we look at some of the most common forms of measurements.
How digitisation delivers speed to Porsche service documents
With its Service Department drowning in paperwork, Giltrap Porsche looked to Fuji Xerox New Zealand and its DocuShare Flex cloud document management solution for digital answers.
Govt & Canterbury Uni pour $7m into gaming research
The funding will be used to boost the University of Canterbury’s Applied Immersive Gaming Initiative, which will research and accelerate public use of immersing gaming applications.
This Feilding school has just won an international robotics award (again!)
“In typical Kiwi fashion, our students think laterally to solve challenges, build prototypes, test and retest until they have a working model. All on their own time and all with their own ideas."