GitHub bug bounty payouts surpass $1.5 million

Github's website with a banner that says Microsoft is purchasing the company
(Image credit: Shutterstock)

GitHub awarded $524,250 (£377,017) in bug bounties in the last year, bringing total payouts from the five-year-old programme to $1,552,004.

The company said that 2020 was the programme's “busiest year yet”, and from February 2020 to 2021, it handled a higher volume of submissions than any previous year. The over half a million in bounties was awarded for 203 vulnerabilities in its products and services.

In total, 1,066 submissions were made to the programme, which was launched in 2016 on HackerOne. The Microsoft-owned company’s response time improved by four hours from 2019 to an average of 13 hours to first response.

Furthermore, submissions were validated and triaged internally to partner teams within 24 hours on average, while bounties were paid out 24 days after the submission of an eligible report.

One of the “most interesting” submissions GitHub received in 2020 was an open redirect vulnerability discovered by William Bowling which was awarded $10,000. The vulnerability on could be used to compromise the OAuth flow of Gist users.

Moreover, GitHub also became a CVE Number Authority (CNA) in 2020 where it began issuing CVEs for vulnerabilities in GitHub Enterprise Server. “Being a CNA allows us to clearly and consistently communicate to customers the issues that are fixed in our products, allowing customers to properly identify outdated GitHub Enterprise Server instances and prioritise upgrades,” stated the company.


The definitive guide to IT security

Protecting your MSP and your customers


At the start of June, GitHub updated its policies to reduce the potential for hackers to abuse the platform, including blocking any code used in ongoing attacks. The change explicitly allowed dual-use security technologies and content related to security research to remain on the platform but will take action against projects that may lead to causing harm to others. GitHub users are prohibited from uploading or sharing any content through the platform which can deliver malicious files, or from manipulating it to serve as a Command and Control infrastructure.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.