In January 2014, the GitHub distributed version control code repository first launched a bug bounty program, rewarding security researchers for responsibly disclosing software vulnerabilities. Now three years later in January 2017, GitHub is celebrating the third anniversary of its bug bounty program, with bonus rewards for the top submissions made in January and February.
The current GitHub bug bounty platform runs on the HackerOne platform. Greg Ose, GitHub’s Application Security Engineering Manager explained that GitHub moved to HackerOne in April 2016.
“We have developed API integrations with HackerOne to kick off our internal triage with developers and to maintain our bounty website at bounty.github.com,” Ose told eWEEK. “Bounty.github.com still includes our program’s leaderboard and detailed write-ups for submissions.”
Over its three year existence, the bug bounty program has worked out well for both GitHub and participating security researchers. In the first two years of the program, GitHub paid out a total of $95,300 in bug bounties across 102 submissions. Ose noted that in the third year of the program, GitHub paid out a total of $81,700 for 73 submissions.
Looking at all the different issues that have come into the bug bounty program, there have been several that have really stood out. Ose said that one issue that helped define a major focus area for application security at GitHub was a report that was received in February 2014. The report detailed a dangerous Cross-Site-Scripting (XSS) vulnerability on the main GitHub.com website.
“We had worked to harden GitHub.com against various cross-site scripting (XSS) attacks using a, then recent, browser feature called Content Security Policy (CSP),” Ose explained. “The submitter was able to not only demonstrate a content injection vulnerability within GitHub.com, but also detailed a bypass to our existing CSP to allow JavaScript execution.”
After fixing the issue, GitHub used the vulnerability as an example to lock down the restrictions enforced by CSP and to implement new browser security features. Ose said that the new features aim to help prevent content injection vulnerabilities from escalating to JavaScript execution or to the exfiltration of sensitive information from GitHub’s web pages. He added that GitHub’s engineering team has been documenting some its CSP efforts online and the plan is to publish additional details of protections GitHub has continued to implement.
While GitHub is an online repository for projects, at its core, the site makes use of the open-source Git version control system, originally developed by Linux creator Linus Torvalds.
“While less common than submissions in our web applications, we have received, paid out, and fixed vulnerabilities in Git,” Ose said. “Luckily, a number of core Git developers are also employees at GitHub so we’ve been able to quickly contribute fixes for these issues upstream.”
Anniversary Contest
For the third anniversary of the GitHub bug bounty program, there is a contest that will award additional prize money for the best security reports. Ose said that the contest will end February 28, 2017, with the most severe vulnerabilities reported winning the top prizes. The top prize in the contest is a $12,000 award, second place is $8,000 and third prize is $5,000.
“Typically, vulnerabilities such as SQL injection, gaps in authorization, and system level vulnerabilities, like remote code execution, net the highest severity and payouts,” Ose said.
Additionally, Ose noted that GitHub has also set aside a $5,000 reward for the best report. He explained that sometimes GitHub receives reports that might not have the biggest technical impact, but that are unique in their nature or just really well described by the reporter.
Looking forward, Ose said that GitHub is always looking to expand its bug bounty program, both in application scope as well as participation by the security community. For example, in January 2017, the program now includes the GitHub Enterprise platform as a target for security researchers.
“We will also be launching very focused bug bounties, with increased payouts, for specific features of our applications,” Ose said. “For example, as we utilize new browser security features, we would like researchers to focus on these specific protections.”
“Submissions in these focused areas allow us to not only improve our implementation, but also help us contribute back best practices to other development and application security teams,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.