The bug bounty program receives an upgrade

Feb 20, 2019 05:03 GMT  ·  By

The GitHub Security Bug Bounty program turns five, and the now Microsoft-owned company uses this occasion to announce a series of changes, including higher rewards for security researchers who find and disclose issues in the service.

In an announcement revealing that GitHub paid $165,000 in bug bounties last year, the company promises increased rewards for 2019.

“We regularly assess our reward amounts against our industry peers. We also recognize that finding higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers and they should be rewarded for their efforts,” GitHub says.

Just like before, bug bounties are grouped in four different severity categories namely low, medium, high, and critical.

Needless to say, the critical category is the one bringing you the highest payments, as such a vulnerability can be worth more than $30,000. On the other hand, a bug flagged with a high severity can bring you between $10,00 and $20,000, while those with a medium label are rewards with an amount between $4,000 and $10,000.

“We no longer have a maximum reward amount for critical vulnerabilities. Although we’ve listed $30,000 as a guideline amount for critical vulnerabilities, we’re reserving the right to reward significantly more for truly cutting-edge research,” GitHub explains.

More services included in bug bounty program

Additionally, beginning today, GitHub’s bug bounty program also covers more first-party services, including GitHub Education, GitHub Learning Lab, GitHub Jobs, and GitHub Desktop. All first-party services under employee-facing githubapp.com and github.net domains are part of the updated program too.

And last but not least, GitHub has also updated its so-called Legal Safe Harbor terms for security researchers discovering and reporting bugs in the service, trying to guarantee they remain protected and authorized full time when doing any bounty research.

The updated Bug Bounty program Legal Safe Harbor is available here and you can read today’s announcement on this page.