IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GitHub bug bounty payouts surpass $1.5 million

The Microsoft-owned company's bounty programme, which launched on HackerOne in 2016, awarded more than $500,000 in the last 12 months

GitHub awarded $524,250 (£377,017) in bug bounties in the last year, bringing total payouts from the five-year-old programme to $1,552,004.

The company said that 2020 was the programme's “busiest year yet”, and from February 2020 to 2021, it handled a higher volume of submissions than any previous year. The over half a million in bounties was awarded for 203 vulnerabilities in its products and services.

In total, 1,066 submissions were made to the programme, which was launched in 2016 on HackerOne. The Microsoft-owned company’s response time improved by four hours from 2019 to an average of 13 hours to first response.

Furthermore, submissions were validated and triaged internally to partner teams within 24 hours on average, while bounties were paid out 24 days after the submission of an eligible report.

One of the “most interesting” submissions GitHub received in 2020 was an open redirect vulnerability discovered by William Bowling which was awarded $10,000. The vulnerability on GitHub.com could be used to compromise the OAuth flow of Gist users.

Moreover, GitHub also became a CVE Number Authority (CNA) in 2020 where it began issuing CVEs for vulnerabilities in GitHub Enterprise Server. “Being a CNA allows us to clearly and consistently communicate to customers the issues that are fixed in our products, allowing customers to properly identify outdated GitHub Enterprise Server instances and prioritise upgrades,” stated the company.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

At the start of June, GitHub updated its policies to reduce the potential for hackers to abuse the platform, including blocking any code used in ongoing attacks. The change explicitly allowed dual-use security technologies and content related to security research to remain on the platform but will take action against projects that may lead to causing harm to others. GitHub users are prohibited from uploading or sharing any content through the platform which can deliver malicious files, or from manipulating it to serve as a Command and Control infrastructure.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

GitHub Enterprise Server 3.5 is equipped with a horde of new security protections
software development

GitHub Enterprise Server 3.5 is equipped with a horde of new security protections

1 Jun 2022
GitHub's latest security updates aim to protect projects in their earliest stages
Development

GitHub's latest security updates aim to protect projects in their earliest stages

7 Apr 2022
GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta
Development

GitHub's ultra-fast onboarding tool Codespaces makes its way to public beta

25 Feb 2022
GitHub goes open source on security research
Development

GitHub goes open source on security research

22 Feb 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022