GitHub Security Bug Bounty

Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. Our bounty program gives a tip of the hat to these researchers and provides some cold hard cash for their efforts.

If you’ve found a vulnerability, submit it here. You can find more information in the rules and FAQs. You can also check the current rankings on the leaderboard.

Happy bug hunting!

Leaderboard

These are the current top 10 bounty hunters based on total points earned across all targets. For listings by target, visit their individual pages. For the full list of contributors, check out GitHub’s bounty hunters.

1 adob avatar 8,750 pts Aleksandr Dobkin @adob
2 joernchen avatar 7,000 pts joernchen of Phenoelit @joernchen
3 homakov avatar 5,750 pts Egor Homakov @homakov
4 bitquark avatar 3,600 pts Jon of Bitquark @bitquark
5 masatokinugawa avatar 1,800 pts Masato Kinugawa @masatokinugawa
6 ahoernecke avatar 1,000 pts Andy Hoernecke @ahoernecke
7 gopinath6 avatar 900 pts கோபிநாத்(Gopinath) - மதுரை(Madurai) @gopinath6
8 mathiasbynens avatar 700 pts Mathias Bynens @mathiasbynens
9 tomvangoethem avatar 700 pts Tom Van Goethem @tomvangoethem
10 arirubinstein avatar 500 pts Ari Rubinstein @arirubinstein

Rules

 
Rules for you
  • Don’t attempt to gain access to another user’s account or data.

  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

  • Don’t publicly disclose a bug before it has been fixed.

  • Only test for vulnerabilities on sites you know to be operated by GitHub and listed under Open bounties. Some sites hosted on subdomains of GitHub.com are operated by third parties, e.g. shop.github.com, and should not be tested.

  • Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your GitHub account and ban your IP address if you do so.

  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your GitHub account and ban your IP address.

  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • When in doubt, email us.

 
Rules for us
  • We will respond as quickly as possible to your submission.

  • We will keep you updated as we work to fix the bug you submitted.

  • We will not take legal action against you if you play by the rules.

 
What does not qualify?
  • Bugs, such as XSS, that only affect legacy browser/plugin versions.

  • Bugs, such as XSS, requiring exceedingly unlikely user interaction.

  • Bugs, such as timing attacks, that prove the existence of a private repository or user.

  • Insecure cookie settings for non-sensitive cookies.

  • Disclosure of public information and information that does not present significant risk.

  • Bugs that have already been submitted by another user or that we are already aware of.

  • Bugs in applications not listed under Open bounties are generally not eligible. Look at individual bounties for details on scope.

  • Bugs in content/services that are not owned/operated by GitHub. This includes our users’ code, GitHub Pages sites, and third party services operating on subdomains of GitHub.com.

  • Vulnerabilities that GitHub determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.

  • Scripting or other automation and brute forcing of intended functionality.

  • For guidance, we have listed the Vulnerability classifications we use to organize submissions made to the Bounty program.

  • When in doubt, email us.

Open bounties

GitHub API

The GitHub API is used by thousands of developers and applications to programatically interact with GitHub data and services. Because so much of the GitHub.com functionality is exposed in the API, security has always been a high priority.

Rewards range from $100 up to $5000 and are determined at our discretion based on a number of factors.

You can find the app at https://api.github.com and can find the API documentation at https://developer.github.com.

GitHub Gist

Gist is one of the first products launched by GitHub after GitHub.com. It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $100 up to $5000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at https://gist.github.com.

GitHub.com

GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $100 up to $5000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at https://github.com.

Other applications

GitHub builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the Open bounties are not currently eligible for cash rewards.

FAQs

How are bounty payments made?

All bounties are currently paid via PayPal. Also, it turns out our accountants like to keep the U.S. IRS happy and to do that we need to collect a W9 (U.S. citizens) or (W8_BEN non-U.S.) before any payment can be made. If you are unwilling or unable to submit this documentation, we can still list your name on the site and send you some swag, however, paid bounties are not possible.

Can I donate my reward to a charity?

Yes. We know that some of you would prefer your bounty reward go toward helping someone else. If you choose, we will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub’s choosing.

I don't live in the United States, or I'm under 18, am I eligible?

Yes, international researchers are eligible. Researchers between 13 and 18 years of age are also eligible, however, those in the United States will need to submit a guardian consent form before any payment can be made. Individuals under 13 years of age are not eligible to participate due to U.S. federal law.

I reported a vulnerability but have not received a response!

Please allow up to 24 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic. If you ever feel we are not communicating in a timely fashion, definitely let us know.

Where is your PGP key? I want to use it when I submit a vulnerability.

If you absolutely believe encrypting the message is necessary, please read our instructions and caveats for PGP submissions.

How is the bounty reward determined?

Our security and development teams take many factors into account when determining a reward. These factors include the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems. Sometimes an otherwise critical vulnerability has a very low impact simply because it is mitigated by some other component, e.g. requires user interaction, an obscure web browser, or would need to be combined with another vulnerability that does not currently exist.

What are points?

In addition to giving researchers money, we are trying to make this fun. We assign a point value to each vulnerability and list it on this site. The researchers with the most points are listed on our leaderboard. While we use many of the same metrics when determining point value as for dollar value, other non-tangible factors are considered as well. For example, if you provide an awesome writeup of a vulnerability with a functional POC that will be factored in.

What if I do not want my submission published on the bounty website or do not have a GitHub account?

Please still send us your vulnerability! We will only publish your submission after your approval. To be visible within the leaderboard you must provide us with a GitHub username. This allows us to link submissions to a single user and generate your sweet profile page.

What are the legal terms of GitHub's Bug Bounty program?

By participating in GitHub’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to GitHub’s Terms of Service as well as the following:

  • you’re not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, the Sudan and Syria.

  • your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.

  • you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.

  • GitHub reserves the right to terminate or discontinue the Program at its discretion.