Previously identified attacks are not eligible for reward (we’ve put a lot of thought into CSP bypasses already). You can find a discussion of known attacks and our attempts to mitigate them here. Attacks against CSP features not used on GitHub.com, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn’t contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you’ve found something cool and novel, report it!
Novel attacks that would be exploitable, assuming a content-injection vulnerability on GitHub.com
Exfiltration of sensitive DOM content.
|1||1000 pts Mathias Karlsson XHR submitted forms bypass CSP form-action|