GitHub launched its Security Bug Bounty program in 2014, now in its fifth year, the program has been updated to offer larger rewards and is also expanded to those who find bugs.
GitHub has been expanding the list of GitHub products and services that are eligible for reward. Now the bounty scope is increased to reward vulnerabilities in all first party services hosted under the github.com domain. This includes GitHub Education, GitHub Learning Lab, GitHub Jobs, and the GitHub Desktop application. While GitHub Enterprise Server has been in scope since 2016, to further increase the security of its enterprise customers GitHub is now expanding the scope to include Enterprise Cloud.
The security of GitHub's users’ data also depends on the security of its employees and its internal systems. That’s why GitHub is also including all first-party services under its employee-facing githubapp.com and github.net domains.
GitHub has also increased its reward amounts at all levels:
- Critical: $20,000–$30,000+
- High: $10,000–$20,000
- Medium: $4,000–$10,000
- Low: $617–$2,000
GitHub will no longer have a maximum reward amount for critical vulnerabilities. Although the company is listing $30,000 as a guideline amount for critical vulnerabilities, the company is reserving the right to reward significantly more for "truly cutting-edge research."