Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    GitHub Bug Bounty Program Offers Bonus Rewards

    By
    Sean Michael Kerner
    -
    January 23, 2017
    Share
    Facebook
    Twitter
    Linkedin
      GitHub bug bounty

      In January 2014, the GitHub distributed version control code repository first launched a bug bounty program, rewarding security researchers for responsibly disclosing software vulnerabilities. Now three years later in January 2017, GitHub is celebrating the third anniversary of its bug bounty program, with bonus rewards for the top submissions made in January and February.

      The current GitHub bug bounty platform runs on the HackerOne platform. Greg Ose, GitHub’s Application Security Engineering Manager explained that GitHub moved to HackerOne in April 2016.

      “We have developed API integrations with HackerOne to kick off our internal triage with developers and to maintain our bounty website at bounty.github.com,” Ose told eWEEK. “Bounty.github.com still includes our program’s leaderboard and detailed write-ups for submissions.”

      Over its three year existence, the bug bounty program has worked out well for both GitHub and participating security researchers. In the first two years of the program, GitHub paid out a total of $95,300 in bug bounties across 102 submissions. Ose noted that in the third year of the program, GitHub paid out a total of $81,700 for 73 submissions.

      Looking at all the different issues that have come into the bug bounty program, there have been several that have really stood out. Ose said that one issue that helped define a major focus area for application security at GitHub was a report that was received in February 2014. The report detailed a dangerous Cross-Site-Scripting (XSS) vulnerability on the main GitHub.com website.

      “We had worked to harden GitHub.com against various cross-site scripting (XSS) attacks using a, then recent, browser feature called Content Security Policy (CSP),” Ose explained. “The submitter was able to not only demonstrate a content injection vulnerability within GitHub.com, but also detailed a bypass to our existing CSP to allow JavaScript execution.”

      After fixing the issue, GitHub used the vulnerability as an example to lock down the restrictions enforced by CSP and to implement new browser security features. Ose said that the new features aim to help prevent content injection vulnerabilities from escalating to JavaScript execution or to the exfiltration of sensitive information from GitHub’s web pages. He added that GitHub’s engineering team has been documenting some its CSP efforts online and the plan is to publish additional details of protections GitHub has continued to implement.

      While GitHub is an online repository for projects, at its core, the site makes use of the open-source Git version control system, originally developed by Linux creator Linus Torvalds.

      “While less common than submissions in our web applications, we have received, paid out, and fixed vulnerabilities in Git,” Ose said. “Luckily, a number of core Git developers are also employees at GitHub so we’ve been able to quickly contribute fixes for these issues upstream.”

      Anniversary Contest

      For the third anniversary of the GitHub bug bounty program, there is a contest that will award additional prize money for the best security reports. Ose said that the contest will end February 28, 2017, with the most severe vulnerabilities reported winning the top prizes. The top prize in the contest is a $12,000 award, second place is $8,000 and third prize is $5,000.

      “Typically, vulnerabilities such as SQL injection, gaps in authorization, and system level vulnerabilities, like remote code execution, net the highest severity and payouts,” Ose said.

      Additionally, Ose noted that GitHub has also set aside a $5,000 reward for the best report. He explained that sometimes GitHub receives reports that might not have the biggest technical impact, but that are unique in their nature or just really well described by the reporter.

      Looking forward, Ose said that GitHub is always looking to expand its bug bounty program, both in application scope as well as participation by the security community. For example, in January 2017, the program now includes the GitHub Enterprise platform as a target for security researchers.

      “We will also be launching very focused bug bounties, with increased payouts, for specific features of our applications,” Ose said. “For example, as we utilize new browser security features, we would like researchers to focus on these specific protections.”

      “Submissions in these focused areas allow us to not only improve our implementation, but also help us contribute back best practices to other development and application security teams,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×