The GitHub Bug Bounty Program launched on January 30th, 2014, receiving an incredible amount of reports in just the first year. Through the years, we’ve progressively increased our scope and our bounties, along with offering more fun incentives like GitHub Pro, GitHub Badges, and GitHub Swag! We’ve even created a private program for our MVP hackers! We love to showcase the cool bugs that our researchers find, and give spotlights. You can read more about the history of our program on our blog!
GitHub’s Bug Bounty Team is a small, but mighty, group of people with a passion for security. Because we are so small, and because our program receives a large amount of reports, response times can vary. Our team does their best to address every report as soon as possible.
While our program is hosted on HackerOne, we do not use the triage service. Every submission to our program is reviewed by a GitHub Bounty Team member. We do have some automation in place, which means that some responses to your report may come from our buddy Hubot, however, Hubot only responds when a GitHub Bounty member tells it to. Meaning, even though your response may have come from Hubot, our team has seen and reviewed your submission.
After reviewing submissions, we will ensure that the information gets to the right team to fix the issue. Currently, our bounties are awarded upon resolving the issue, for all medium, high, and critical issues. Due to this, time to bounty can be longer than expected as we wait for engineering to fully remediate the issue.
We do have general guidelines that are followed to determine severity and bounty amount. Each submission’s severity and bounty amount is reviewed and approved by multiple team members. We take into consideration many things, such as ease of exploitation, exposure, and percentage of impact users, to determine the severity. This may mean that the severity score may be different than as documented in the guidelines.