GitHub has launched a security bug bounty program. The code repository is prepared to reward security researchers who find and responsibly disclose vulnerabilities with up to $5,000 (€3,700). The lowest reward is $100 (€73).
“The idea is simple: hackers and security researchers (like you) find and report vulnerabilities through our responsible disclosure process. Then, to recognize the significant effort that these researchers often put forth when hunting down bugs, we reward them with some cold hard cash,” GitHub’s Shawn Davenport explained in a blog post.
It’s worth noting that not all GitHub applications are included in the bug bounty program. However, if they find and report security holes not part of the program, researchers might still get monetary rewards.
For the time being, the GitHub API, Gist, and the main website, GitHub.com, are included in the bounty program.
It’s worth noting that anyone can report vulnerabilities, not just people from the US. Furthermore, even young experts, aged between 13 and 18, can participate. However, those in the US have to submit a guardian consent before they can be paid.
Those who send reports are advised to give GitHub up to 24 hours to respond.
There are some other things you should know before trying out your skills on GitHub. You’re not allowed to use automated tools and scanners.
Social engineering and phishing attacks against GitHub employees are also forbidden. The details of the vulnerability must not be disclosed before the issue has been addressed.
Cross-site scripting (XSS) vulnerabilities are accepted. However, they don’t qualify for a reward if they only impact legacy browsers and plugins, or if too much user interaction is needed to trigger them.
Additional details, along with a leaderboard that shows the top contributors, are available on the GitHub Security Bug Bounty website.