GitHub Embraces Hacker-Powered Security To Protect 55 Million Projects
We recently published The GitHub Bug Bounty Story and couldn’t be more excited to share it with you! TL;DR: Their lead security engineer summarizes the ROI as “phenomenal”.
You’ve probably heard of GitHub, but you might not know they support more than 20 million people learning, sharing, and working together on more than 55 million projects. Yeah, that’s a lot...and a lot of responsibility on GitHub’s part to ensure the safety and security of their customers’ data.
GitHub’s security team had been using all of the typical approaches to identify bugs, but then, in 2014, they took the leap and launched their own bug bounty program. That puts them in the early-adopter bucket of bug bounty aficionados, and it stemmed from their desire to get more eyes looking for vulnerabilities.
GitHub quickly embraced the bounty concept and welcomed input and feedback from hackers across the globe. But while their initial approach was homegrown, they moved over to the HackerOne platform in 2016 and never looked back.
"By providing welcoming arms, we hoped that people who find issues in GitHub will turn to us before notifying anyone else,” said Neil Matatall, Security Engineer at GitHub. “We’re immensely appreciative of their work, and we want to make sure they know it.”
Working with HackerOne enabled GitHub to expand and streamline their existing program. They’re now taking advantage of HackerOne to communicate with hackers, pay bounties in a foreign currency to distant hackers, and maintain records for eventual audits.
“Using HackerOne saves our security team a large amount of time, but more importantly, it also saves our finance team a lot of trouble,” said Neil. “Moving to the HackerOne platform allowed us to automate away all of the financial burdens, which are significant.”
It’s also helped streamline GitHub’s overall bounty process, enabling them to move from a manual, 20-point process to mostly-automated process that has reduced their triaging checklist down to just 4 items. They’ve even integrated bug data into their internal tracking tools using the HackerOne API.
Through the life of their program, they’ve been amazingly open about their success and the $145,000-plus in bounties they’ve paid. They’ve even run promotions to increase rewards and generate hacker awareness with their program, the most recent of which was their 3-year anniversary promotion which was very successful.
Ultimately, their ROI of “phenomenal” has to be backed up with unwavering confidence in the bounty program’s contribution to their overall security effectiveness. To that, Neil says “there isn’t a single person in the company who thinks the bounty (program) was not successful.”
Now that’s confidence!