GitHub Security Bug Bounty

Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by Google, Facebook, Mozilla, and others have helped to create a strong bug-hunting community. Our bounty program gives a tip of the hat to these researchers and provides some cold hard cash for their efforts.

If you’ve found a vulnerability, submit it here. You can find more information in the rules and FAQs. You can also check the current rankings on the leaderboard.

Happy bug hunting!

Leaderboard

These are the current top 10 bounty hunters based on total points earned across all targets. For listings by target, visit their individual pages. For the full list of contributors, check out GitHub’s bounty hunters.

1 adob 30,750 pts Aleksandr Dobkinimg src404 onerroralert(document.domain) @adob
2 joernchen 28,500 pts joernchen of Phenoelit @joernchen
3 Cache-Money 16,000 pts Tanner @Cache-Money
4 jkakavas 15,600 pts Ioannis Kakavas @jkakavas
5 kyprizel 14,000 pts kyprizel @kyprizel
6 orangetw 12,500 pts Orange Tsai @orangetw
7 iblue 10,000 pts Markus Fenske @iblue
8 tunz 9,500 pts Choongwoo Han @tunz
9 kamilhism 8,200 pts Kamil Hismatullin @kamilhism
10 bburky 7,500 pts Blake Burkhart @bburky

Rules

 
Rules for you
  • Don’t attempt to gain access to another user’s account or data.

  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

  • Don’t publicly disclose a bug before it has been fixed.

  • Only test for vulnerabilities on sites you know to be operated by GitHub and listed under Open bounties. Some sites hosted on subdomains of GitHub.com are operated by third parties, e.g. shop.github.com, and should not be tested.

  • Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your GitHub account and ban your IP address if you do so.

  • Don’t use scanners, scrapers or any other automated tools in your testing. They’re noisy and we may suspend your GitHub account and ban your IP address.

  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • When in doubt, contact us at bounty@github.com.

 
Rules for us
  • We will respond as quickly as possible to your submission.

  • We will keep you updated as we work to fix the bug you submitted.

  • We will not take legal action against you if you play by the rules.

 
What does not qualify?
  • Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.

  • Bugs requiring exceedingly unlikely user interaction.

  • Submissions which don’t include steps to reproduce the bug, or only include those steps in video form.

  • Bugs, such as timing attacks, that prove the existence of a private repository or user.

  • Insecure cookie settings for non-sensitive cookies.

  • Disclosure of public information and information that does not present significant risk.

  • Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.

  • Bugs in applications not listed under Open bounties are generally not eligible. Look at individual bounties for details on scope.

  • Bugs in content/services that are not owned/operated by GitHub. This includes our users’ code, GitHub Pages sites, and third party services operating on subdomains of GitHub.com.

  • Vulnerabilities that GitHub determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.

  • Scripting or other automation and brute forcing of intended functionality.

  • For guidance, we have listed the Vulnerability classifications we use to organize submissions made to the Bounty program.

  • When in doubt, contact us at bounty@github.com.

Open bounties

$555 - $20,000
GitHub.com

GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at https://github.com.

$555 - $20,000
GitHub API

The GitHub API is used by thousands of developers and applications to programatically interact with GitHub data and services. Because so much of the GitHub.com functionality is exposed in the API, security has always been a high priority.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors.

You can find the app at https://api.github.com and can find the API documentation at https://developer.github.com.

$555 - $20,000
GitHub Enterprise

GitHub Enterprise is the on-premises version of GitHub. GitHub Enterprise shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies.

GitHub Enterprise adds a number of features for enterprise infrastructures. This includes additional authentication backends and clustering options. Below is a subset of features unique to GitHub Enterprise that might be interesting to investigate.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, a vulnerability in a service that is intended to be restricted from external access would have a lower reward than one within the core GitHub Enterprise web interface.

You can request a trial of GitHub Enterprise for security testing at https://enterprise.github.com/bounty.

$555 - $20,000
GitHub Gist

Gist is one of the first products launched by GitHub after GitHub.com. It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at https://gist.github.com.

$1,000 - $10,000
GitHub CSP

While content-injection vulnerabilities are already in-scope for our GitHub.com bounty, we also accept bounty reports for novel CSP bypasses affecting GitHub.com, even if they do not include a content-injection vulnerability. Using an intercepting proxy or your browser’s developer tools, experiment with injecting content into the DOM. See if you can execute arbitrary JavaScript or exfiltrate sensitive page contents such as CSRF tokens. Reports of other previously-unknown impacts from content-injection will also be considered.

Previously identified attacks are not eligible for reward (we’ve put a lot of thought into CSP bypasses already). You can find a discussion of known attacks and our attempts to mitigate them here. Attacks against CSP features not used on GitHub.com, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn’t contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you’ve found something cool and novel, report it!

Other applications

GitHub builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the Open bounties are not currently eligible for cash rewards.

Ineligible submissions

There are a handful of reports that we consider ineligible, either because the feature is working as intended or we accept the low risk as a security/usability tradeoff:

FAQs

 
Can I donate my reward to a charity?

Yes. We know that some of you would prefer your bounty reward go toward helping someone else. If you choose, we will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub’s choosing.

 
I reported a vulnerability but have not received a response!

Please allow up to 72 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic. If you ever feel we are not communicating in a timely fashion, definitely let us know.

 
Where is your PGP key? I want to use it when I submit a vulnerability.

If you absolutely believe encrypting the message is necessary, please read our instructions and caveats for PGP submissions.

 
Can I submit a video proof-of-concept?

You can certainly attach a video if you believe it will clarify your submission. However, all submissions must also include step-by-step instructions to reproduce the bug. The security team will let you know if we think a video will clarify your report. Submissions which only include video reproduction steps will have a longer response time and we may close your submission as Not Applicable.

 
How is the bounty reward determined?

Our security and development teams take many factors into account when determining a reward. These factors include the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems. Sometimes an otherwise critical vulnerability has a very low impact simply because it is mitigated by some other component, e.g. requires user interaction, an obscure web browser, or would need to be combined with another vulnerability that does not currently exist.

 
What are points?

In addition to giving researchers money, we are trying to make this fun. We assign a point value to each vulnerability and list it on this site. The researchers with the most points are listed on our leaderboard. While we use many of the same metrics when determining point value as for dollar value, other non-tangible factors are considered as well. For example, if you provide an awesome writeup of a vulnerability with a functional POC that will be factored in.

 
What if I do not want my submission published on the bounty website or do not have a GitHub account?

Please still send us your vulnerability! We will only publish your submission after your approval. To be visible within the leaderboard you must provide us with a GitHub username. This allows us to link submissions to a single user and generate your sweet profile page.

 
Can I submit my report via a third-party or vulnerability broker?

GitHub’s Bug Bounty program is designed to both reward individual researchers and increase the security of all GitHub users. We don’t believe that disclosing GitHub vulnerabilities to third parties achieves either of those goals. As a result, any vulnerabilities that are disclosed to third-party before being submitted to our program are ineligible for rewards.

 
I don't live in the United States, or I'm under 18, am I eligible?

Yes, international researchers are eligible. Researchers between 13 and 18 years of age are also eligible, however, those in the United States will need to submit a guardian consent form before any payment can be made. Individuals under 13 years of age are not eligible to participate due to U.S. federal law.

 
What are the legal terms of GitHub's Bug Bounty program?

By participating in GitHub’s Bug Bounty program (the “Program”), you acknowledge that you have read and agree to GitHub’s Terms of Service as well as the following:

  • you’re not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, the Sudan and Syria.

  • your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.

  • you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.

  • GitHub reserves the right to terminate or discontinue the Program at its discretion.