10 Years of the GitHub Security Bug Bounty Program
GitHub Security recently celebrated the 10th anniversary of its bug bounty program. We’ve been honored to be a part of that journey, running their program for eight of those years. To date, they’ve awarded global researchers over $4 million in bounties, hosted live hacking events, expanded program scope, enhanced transparency, and strengthened security for developers worldwide. Read on to learn how these milestones have culminated in a best-of-breed program on the HackerOne platform. This was originally published on GitHub on June 11, 2024.
Each year, we celebrate the GitHub Security Bug Bounty program, highlighting impressive bugs and researchers, rewards, live hacking events, and more. This year, we celebrate a new milestone: 10 years of the GitHub Security Bug Bounty program!
While we’ve had some exciting growth over the last 10 years, the goals of our program have not changed.
The idea is simple: hackers and security researchers find and report vulnerabilities through our responsible disclosure process. Then, to recognize the significant effort that these researchers often put forth when hunting down bugs, we reward them with some cold hard cash.
Let’s take a look at 10 key moments from the first decade of the GitHub Security Bug Bounty program.
1. In 2014, we launched the program to better engage with security researchers. Here’s what we said at the time, which still rings true today:
Our users’ trust is something we never take for granted here at GitHub. In order to earn and keep that trust we are always working to improve the security of our services. Some vulnerabilities, however, can be very hard to track down and it never hurts to have more eyes.
At launch, the bug bounty program was focused on a subset of our products and services, but over time we’ve expanded the scope (more on that below!).
2. After two years of hosting the program through a homegrown email-based system, we moved to HackerOne in 2016.
3. We boosted payouts in 2017 and participated in Hack the World in 2017, rewarding hackers with twice the reputation points on HackerOne when finding bugs on GitHub.
4. We announced in 2018 that research would be covered by the GitHub Bug Bounty Program Legal Safe Harbor policy to better protect researchers and to remove one of the potential barriers to entry for would-be researchers.
We want you to coordinate disclosure through our bug bounty program and don’t want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy.
5. 2019 saw a 40% increase in submissions and was also the first year we expanded the program’s scope to include more products, like GitHub Actions and GitHub Mobile.
6. In 2020, we landed in HackerOne’s top ten bounty programs list. The rankings were based on the cumulative amount of bounties awarded but also included accolades for time to bounty, number of vulnerability reports resolved, and more.
7. We matched over $64,000 of donations of bounties from researchers in 2021, bringing the total donated to over $100,000. Some of the charities we’ve been able to support include Cancer Research UK, GiveWell Maximum Impact Fund, Greater Pittsburgh Community Food Bank, and Numfocus.
8. The GitHub Bug Bounty swag store launched in 2022, after we learned that not only do our researchers genuinely enjoy receiving swag but they also like to show off their involvement with our bounty program. Hackers can now earn t-shirts, waistpacks, water bottles, and more, in addition to their monetary payouts.
9. We paid out our highest single reward to date in 2023—at $75,000! Compare that with the first year of the bounty, in which we paid out just over $50,000 total.
10. And to wrap up some of our favorite milestones, as of the end of 2023, we surpassed $4,000,000 in total rewards!
2023 year in review
Now that we’ve looked back at some of the key moments from the last 10 years, let’s zoom in and see how 2023 played out. In our 2022 wrap-up, we shared that our core focuses for the next year would be increasing transparency in communication and rewards, growing our public and private programs, and expanding the team’s presence within the community. So, how did we do?
Increasing transparency
Transparency around payments, reports, and decisions is always an area of feedback in the bounty space.
This year, we focused on better understanding common themes of feedback, what we can implement, and how we can ensure we are meeting the needs of our community. We learned a lot from the introduction of limited disclosure of reports on HackerOne and are using those learnings to start planning our next steps. Additionally, understanding that bounty programs are human-to-human interactions, we’ve focused on further improving our researcher engagements so responses are more detailed and clear.
While a lot of this work has been inward to build a solid foundation, we know these improvements are fundamental to our exciting plans as we look ahead.
Growing private and public programs
Our program already features a pretty broad scope across GitHub products, but we know that our community of researchers is always looking for new ways to sink their teeth into the latest products and features we release.
In 2023, we ran several private bounty engagements with our Hacktocats (members of the bounty’s VIP program), including PATs v2 via GraphQL, GitHub Copilot Chat, and others. These exclusive events provided opportunities for the engineers building the features to understand what our researchers are looking for and to address these issues prior to release. We also introduced new bonuses and challenges to incentivize our researchers to participate.
Our public program has continued to see steady growth and participation as well. To encourage researcher participation, we ensure the scope of the public program is regularly updated with GitHub’s latest offerings and functionality, such as GitHub Copilot and Copilot Chat, which were added to the program scope in 2023.
Lastly, we always strive to recognize the ever-growing talent in our community by ensuring our rewards are competitive. We surpassed our highest bounty payment in 2023 with a new record—$75,000.
Community presence
Our team has focused a lot on bringing faces to our handles and ensuring our community gets to benefit from the investments we’ve made into our bounty team and program.
In 2023, this meant attending conferences across the United States, Canada, and Argentina. At these conferences, we meet up with our community, meet others interested in our program, present on relevant topics, and even host meetups. Here are a few links to some of our presentations this past year:
Bsides SF: “Life of a Bug”—GitHub’s Bug Bounty and PSIRT teams partner to investigate security findings submitted by external researchers through our HackerOne bounty program. From triage to notification, this talk gave a glimpse of the roles of both teams and the full incident response process with the walkthrough of a mock bug.
DEFCON: “Building a Great Bounty Program”—Jeff and Logan, security engineers at GitHub, share best practices they’ve learned regarding building and operating Bug Bounty programs based on their experiences working at and with multiple companies. They speak about their mistakes and successes so that other programs can be set up for success, attract researchers to their program, and keep them coming back!
NorthSec: “Logan, security engineer at GitHub, explores the ins and outs of GitHub’s Bug Bounty program, along with advice for those working in or building or hacking on Bug Bounty programs. This talk discusses the high-level processes of issue intake and resolution in Bug Bounty programs, while also diving into the details of how Bug Bounty programs have an ROI, disclosure considerations, and ways to improve collaboration for all parties involved.”
We also partnered with our friends at Capital One and HackerOne to create and host a new conference, Glass Firewall. Knowing that women are largely underrepresented in security, let alone the researcher community, Glass Firewall was created to provide a safe space to break the “barrier to entry” or, as we said, “breaking bytes and barriers.”
What’s next?
In the coming year, we are looking to improve our processes around payout on validation, work towards the next phase of public disclosures, continue to bring more consistency around private bounties for our community, and offer exclusive training and opportunities for our VIP community.
We look forward to continuing our growth and journey in the bug bounty community and are always looking for ways to engage further and act on the feedback received.
The 8th Annual Hacker-Powered Security Report