GitHub Copilot

Synopsis

GitHub Copilot uses the OpenAI Codex to suggest code and entire functions in real-time, right from your editor. Copilot is your AI pair programmer!

First-party Copilot Features available under https://github.com/copilot are in scope, including newly launched features that appear there.

GitHub Copilot CLI is in scope for this program. It gives you quick access to a powerful AI agent from your terminal and can help you complete development tasks more efficiently.

GitHub Copilot Enterprise is a Copilot plan available for enterprises that use GitHub Enterprise Cloud.

• Copilot Chat
• Copilot pull request summaries
• Copilot knowledge bases

Focus areas

• Escalating to another user’s session that you do not own and accessing their session content
• Bypassing Copilot’s proxy or mediation layer in a way that results in increased access or privilege
• Vulnerabilities that demonstrate a clear, material security impact to confidentiality, integrity, or availability within GitHub Copilot, including:
  • Authorization vulnerabilities (for example: privilege escalation, cross-tenant/cross-repository data access, or bypass of Copilot/org/enterprise policy controls)
  • Unauthorized actions / integrity-impacting behavior (for example: actions performed without expected user confirmation, or flows that defeat intended guardrails)
  • Data exposure (for example: access to private repository content or other protected GitHub data outside the reporter’s authorized access)

    Note: We are aware of prompt injection techniques. Reports that only demonstrate influence over Copilot output, without a broken authorization boundary or unauthorized action (e.g., authorization bypass, cross-tenant data exposure, or unauthorized actions), are generally not eligible.

Ineligible submissions

Vulnerabilities in GitHub Copilot Chat extension and Inline Suggestions in Visual Studio Code

The GitHub Copilot Chat extension and Inline Suggestions from GitHub Copilot in Visual Studio Code are features owned and maintained by Microsoft. Vulnerabilities affecting these features should be reported directly to Microsoft through their Bug Bounty Program.

Prompt Injections

We are aware of prompt injection techniques (including indirect or “invisible” prompt injection via untrusted content such as issue/PR descriptions, comments, or repository files) that may attempt to influence Copilot output. Reports that only demonstrate that Copilot’s output can be influenced or redirected by untrusted content are not eligible for a reward.

• Prompt injection reports may be eligible only when they demonstrate a concrete security impact such as:
  • Privilege escalation or authorization/policy bypass
  • Cross-tenant / cross-repository data exposure
  • Unauthorized actions occurring without required user confirmation or that bypass enforced authorization, policy, or safety controls.

The security of code suggested by Copilot

GitHub Copilot is designed to generate the best code possible given the context it has access to, but it doesn’t test the code it suggests, so the code may not always work or even make sense. GitHub Copilot can only hold a very limited context, so it may not make use of helpful functions defined elsewhere in your project or even in the same file. It may also suggest old or deprecated uses of libraries and languages.

For suggested code, certain languages like Python, JavaScript, TypeScript, and Go might perform better than other programming languages. In addition, when converting comments written in non-English to code, there may be performance disparities when compared to English.

Although Copilot suggestions are not part of the Bug Bounty program, you are welcome to report any vulnerable patterns you identify in code suggestions to [email protected]. Our blog has more information about our approach to securing code suggestions.

Tokens suggested by Copilot

Any strings suggested by Copilot that resemble tokens are not eligible.

Prototype features

Any Copilot features that are not yet publicly accessible are considered out of scope.

Off topic conversation

Any Copilot chat conversations that are off topic and not programming-related are not eligible.