Check the list of domains that are in scope for the Bug Bounty program and the list of targets for useful information for getting started.
Check the list of bugs that have been classified as ineligible. Submissions which are ineligible will likely be closed as Not Applicable.
Check the GitHub Changelog for recently launched features.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
When in doubt, contact us at [email protected].
By participating in GitHub’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to GitHub’s Terms of Service as well as the following:
you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.
your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
GitHub reserves the right to terminate or discontinue the Program at its discretion.
Only test for vulnerabilities on sites you know to be operated by GitHub and are in-scope. Some sites hosted on subdomains of GitHub.com are operated by third parties and should not be tested.
We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.
Your research is covered by the GitHub Bug Bounty Program Legal Safe Harbor policy. In summary:
We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program’s scope.
We want you to coordinate disclosure through our bug bounty program, and don’t want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.
Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.
Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.
We recommend adding your HackerOne @wearehackerone.com email address to any GitHub account that you use to perform security research and testing. If you use multiple GitHub accounts for testing, you can use aliases of your HackerOne email address. Clearly identifying accounts that are associated with bounty research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Bug Bounty program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our bounty rules and scope.
The following are never allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:
nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:
https://github.com)
Do not intentionally access others’ PII. If you suspect a service provides access to PII, limit queries to your own personal information.
Report the vulnerability immediately and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.
Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned
You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.
Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.
When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.
For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.
All reward amounts are determined by our severity guidelines.
In addition to the bounty reward, some reports will also receive a coupon code that can be redeemed for swag items at the GitHub Bug Bounty Merch Shop. For more information about the store, please visit the shop’s FAQ page.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
You are free to publish write-ups about your vulnerability, and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched, so we may ask that you delay publishing to keep other GitHub users safe.
GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne and listed in the GitHub Enterprise Server release notes.
If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend changing your payment preferences to monthly in your account settings. To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: