GitHub Security Bug Bounty

Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. Our bounty program gives a tip of the hat to these researchers and provides some cold hard cash for their efforts.

If you’ve found a vulnerability, submit it here. You can find more information in the rules and FAQs. You can also check the current rankings on the leaderboard.

Happy hacking!

Leaderboard

These are the current top 10 bounty hunters based on total points earned across all targets. For listings by target, visit their individual pages. For the full list of contributors, check out GitHub’s bounty hunters.

1 adob 30,750 pts Aleksandr Dobkinimg src404 onerroralert(document.domain) @adob
2 joernchen 28,500 pts joernchen of Phenoelit @joernchen
3 Cache-Money 16,000 pts Tanner @Cache-Money
4 jkakavas 15,600 pts Ioannis Kakavas @jkakavas
5 kyprizel 14,000 pts kyprizel @kyprizel
6 orangetw 12,500 pts Orange Tsai @orangetw
7 iblue 10,000 pts Markus Fenske @iblue
8 tunz 9,500 pts Choongwoo Han @tunz
9 kamilhism 8,200 pts Kamil Hismatullin @kamilhism
10 bburky 7,500 pts Blake Burkhart @bburky

Rules

 
Rules for you
  • Don’t attempt to gain access to another user’s account or data.

  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

  • Don’t publicly disclose a bug before it has been fixed.

  • Only test for vulnerabilities on sites you know to be operated by GitHub and listed under Open bounties. Some sites hosted on subdomains of GitHub.com are operated by third parties, e.g. shop.github.com, and should not be tested.

  • Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your GitHub account and ban your IP address if you do so.

  • Don’t use scanners, scrapers or any other automated tools in your testing. They’re noisy and we may suspend your GitHub account and ban your IP address.

  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • When in doubt, contact us at bounty@github.com.

 
Rules for us
  • We will respond as quickly as possible to your submission.

  • We will keep you updated as we work to fix the bug you submitted.

  • We will not take legal action against you if you play by the rules.

 
What does not qualify?
  • Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.

  • Bugs requiring exceedingly unlikely user interaction.

  • Submissions which don’t include steps to reproduce the bug, or only include those steps in video form.

  • Bugs, such as timing attacks, that prove the existence of a private repository or user.

  • Insecure cookie settings for non-sensitive cookies.

  • Disclosure of public information and information that does not present significant risk.

  • Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.

  • Bugs in applications not listed under Open bounties are generally not eligible. Look at individual bounties for details on scope.

  • Bugs in content/services that are not owned/operated by GitHub. This includes our users’ code, GitHub Pages sites, and third party services operating on subdomains of GitHub.com.

  • Vulnerabilities that GitHub determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.

  • Scripting or other automation and brute forcing of intended functionality.

  • For guidance, we have listed the Vulnerability classifications we use to organize submissions made to the Bounty program.

  • When in doubt, contact us at bounty@github.com.

Open bounties

$555 - $20,000
GitHub.com

GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at https://github.com.

$555 - $20,000
GitHub API

The GitHub API is used by thousands of developers and applications to programatically interact with GitHub data and services. Because so much of the GitHub.com functionality is exposed in the API, security has always been a high priority.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors.

You can find the app at https://api.github.com and can find the API documentation at https://developer.github.com.

$555 - $20,000
GitHub Enterprise

GitHub Enterprise is the on-premises version of GitHub. GitHub Enterprise shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies.

GitHub Enterprise adds a number of features for enterprise infrastructures. This includes additional authentication backends and clustering options. Below is a subset of features unique to GitHub Enterprise that might be interesting to investigate.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, a vulnerability in a service that is intended to be restricted from external access would have a lower reward than one within the core GitHub Enterprise web interface.

You can request a trial of GitHub Enterprise for security testing at https://enterprise.github.com/bounty.

$555 - $20,000
GitHub Gist

Gist is one of the first products launched by GitHub after GitHub.com. It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at https://gist.github.com.

$1,000 - $10,000
GitHub CSP

While content-injection vulnerabilities are already in-scope for our GitHub.com bounty, we also accept bounty reports for novel CSP bypasses affecting GitHub.com, even if they do not include a content-injection vulnerability. Using an intercepting proxy or your browser’s developer tools, experiment with injecting content into the DOM. See if you can execute arbitrary JavaScript or exfiltrate sensitive page contents such as CSRF tokens. Reports of other previously-unknown impacts from content-injection will also be considered.

Previously identified attacks are not eligible for reward (we’ve put a lot of thought into CSP bypasses already). You can find a discussion of known attacks and our attempts to mitigate them here. Attacks against CSP features not used on GitHub.com, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn’t contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you’ve found something cool and novel, report it!

Other applications

GitHub builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the Open bounties are not currently eligible for cash rewards.

Severity Guidelines

All bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:

$10,000 - $20,000
Critical

Critical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:

  • arbitrary code/command execution on a GitHub server in our production network.
  • arbitrary SQL queries on the GitHub production database.
  • bypassing the GitHub login process, either password or 2FA.
  • access to sensitive production user data or access to internal production systems.
$5,000 - $10,000
High

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

  • injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.
  • bypassing authorization logic to grant a repository collaborator more access than intended.
  • discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.
  • gaining access to a non-critical resource that only GitHub employees should be able to reach.
$1,000 - $5,000
Medium

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

  • disclosing the title of issues in private repositories which should be be inaccessible.
  • injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user’s session.
  • bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.
$555 - $1,000
Low

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

  • signing up arbitrary users for access to an “early access feature” without their consent.
  • creating an issue comment that bypasses our image proxying filter by providing a malformed URL.
  • triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.
  • triggering application exceptions that could affect many GitHub users.

Ineligible submissions

There are a handful of reports that we consider ineligible, either because the feature is working as intended or we accept the low risk as a security/usability tradeoff:

FAQs

 
Can I donate my reward to a charity?

Yes. We know that some of you would prefer your bounty reward go toward helping someone else. If you choose, we will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub’s choosing.

 
I reported a vulnerability but have not received a response!

Please allow up to 72 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic. If you ever feel we are not communicating in a timely fashion, definitely let us know.

 
Where is your PGP key? I want to use it when I submit a vulnerability.

If you absolutely believe encrypting the message is necessary, please read our instructions and caveats for PGP submissions.

 
Can I submit a video proof-of-concept?

You can certainly attach a video if you believe it will clarify your submission. However, all submissions must also include step-by-step instructions to reproduce the bug. The security team will let you know if we think a video will clarify your report. Submissions which only include video reproduction steps will have a longer response time and we may close your submission as Not Applicable.

 
How is the bounty reward determined?

Our security and development teams take many factors into account when determining a reward. These factors include the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems. Sometimes an otherwise critical vulnerability has a very low impact simply because it is mitigated by some other component, e.g. requires user interaction, an obscure web browser, or would need to be combined with another vulnerability that does not currently exist.

 
What are points?

In addition to giving researchers money, we are trying to make this fun. We assign a point value to each vulnerability and list it on this site. The researchers with the most points are listed on our leaderboard. While we use many of the same metrics when determining point value as for dollar value, other non-tangible factors are considered as well. For example, if you provide an awesome writeup of a vulnerability with a functional POC that will be factored in.

 
What if I do not want my submission published on the bounty website or do not have a GitHub account?

Please still send us your vulnerability! We will only publish your submission after your approval. To be visible within the leaderboard you must provide us with a GitHub username. This allows us to link submissions to a single user and generate your sweet profile page.

 
Can I submit my report via a third-party or vulnerability broker?

GitHub’s Bug Bounty program is designed to both reward individual researchers and increase the security of all GitHub users. We don’t believe that disclosing GitHub vulnerabilities to third parties achieves either of those goals. As a result, any vulnerabilities that are disclosed to third-party before being submitted to our program are ineligible for rewards.

 
I don't live in the United States, or I'm under 18, am I eligible?

Yes, international researchers are eligible. Researchers between 13 and 18 years of age are also eligible, however, those in the United States will need to submit a guardian consent form before any payment can be made. Individuals under 13 years of age are not eligible to participate due to U.S. federal law.

 
What are the legal terms of GitHub's Bug Bounty program?

By participating in GitHub’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to GitHub’s Terms of Service as well as the following:

  • you’re not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, the Sudan and Syria.

  • your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.

  • you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.

  • GitHub reserves the right to terminate or discontinue the Program at its discretion.