Company fixed 102 security bugs in the past two years

Feb 7, 2016 23:16 GMT  ·  By

In the past two years, GitHub has paid $95,300 (€85,400) to 58 security researchers for 102 security vulnerabilities they've discovered and reported to the company's staff via its official bug bounty program.

Launched on January 30, 2014, GitHub's bug bounty program placed the company among the Silicon Valley elite that puts a high value on security and its users' privacy.

Right from the get-go the program was an enormous success, and researchers flocked to report many security issues affecting GitHub's huge infrastructure. Additionally, some of the security researchers that contributed also didn't mind giving away their rewards for a good cause.

"In 2015 we saw an amazing increase in the number of bounties donated to a good cause," GitHub's Ben Toews noted. "GitHub matches bounties donated to 501(c)(3) organizations, and with the help of our researchers we contributed to the EFF, Médecins Sans Frontières, the Ada Initiative, the Washington State Burn Foundation, and the TOR Project."

Out of the 102 reported security bugs, during the past two years, only three were labeled as critical and only thirteen as high severity. All three critical vulnerabilities were command injections, which GitHub fixed before they could be exploited.

Judging by this table which shows the bugs' distribution over the OWASP Top 10 classification, the GitHub bug bounty program achieved its goal and helped the company fix the many security issues affecting its service.

Bug bounty submissions per week in the past 2 years
Bug bounty submissions per week in the past 2 years

Photo Gallery (2 Images)

GitHub paid nearly $100,000 to security researchers
Bug bounty submissions per week in the past 2 years
Open gallery