Four years after starting a bug bounty program, GitHub is still seeing benefits from rewarding security researchers for responsibly disclosing security vulnerabilities.
For 2017, GitHub reported that it received 840 bug submissions to its bug bounty program, which is run on the HackerOne platform. A total of 121 reports were resolved by GitHub, with an average reward payout to security researchers of $1,376. Overall in 2017, GitHub paid security researchers a total of $166,495 in bug bounty awards, up from $95,300 in 2016.
“The top payout for 2017 was for a bypass of SAML authentication in GitHub Enterprise,” Greg Ose, Senior manager, security engineering at GitHub told eWEEK. “This received our max payout at the time of $10,000.”
The Security Assertion Markup Language (SAML) bug was submitted by security engineer Ioannis Kakavas, who also received a bonus of an additional $12,000 for the flaw, as it was submitted during GitHub’s third anniversary bug bounty promotion in 2017. Ose noted that GitHub is not doing an anniversary promotion as part of the fourth anniversary of its bug bounty program. GitHub decided to forgo bonus awards for its 2018 anniversary because GitHub already doubled it payouts in October 2017.
GitHub has a cloud-based, publicly available distributed version control code repository that is widely used by developers and organizations. There is also an on-premises version known as GitHub Enterprise which is where Ose said a surprising vulnerability was discovered. Security research Markus Fenske reported a remote code execution bug in one of the services on GitHub Enterprise.
Ose explained that GitHub Enterprise is setup so that all session secrets are randomized for each GitHub Enterprise install. However he noted that during a refactoring of scripts that set file permissions, the file containing the random session secret was set to be unreadable.
“This caused our code to default to a static session secret used for testing,” Ose said. These scripts were updated to correctly set the file permissions. Tests were also added to check this was correct on every build and most importantly, our code was updated to never default to a static value for this session secret.”
Looking beyond just rewarding researchers for disclosing bugs in GitHub’s platforms, GitHub also provided a financial grant to a researcher to take a deeper look at how SAML authentication works on GitHub. Ose said that GitHub identified a number of vulnerabilities involving its SAML implementation in GitHub Enterprise in the beginning of 2017. After fixing the issues identified both internally and via the bug bounty program, GitHub funded a researcher to take a deeper dive into its SAML authentication flows.
“While no new issues were identified, the researcher provided a deep analysis of different common SAML vulnerabilities and verification of how our implementation was not affected,” Ose said. ” This provided a great reference to our engineers and gave us further confidence in our implementation when shipping SAML as part of GitHub for Business.”
GitHub for Business is a commercial offering where organizations get additional capabilities on the GitHub.com hosted platform.
Private Bug Bounty Program
GitHub also launched a private bug bounty program in 2017, that invited qualified researchers to take aim at specific new feature targets.
“Over the course of the few weeks the private program was open, we fixed three issues and paid out close to $5,000,” Ose said. “While within the total scope of the program, three vulnerabilities is not a large increase, we were super happy to receive focused submissions on the feature before it shipped.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.