Bounty: $500$5000

GitHub CSP


While content-injection vulnerabilities are already in-scope for our bounty, we also accept bounty reports for novel CSP bypasses affecting, even if they do not include a content-injection vulnerability. Using an intercepting proxy or your browser’s developer tools, experiment with injecting content into the DOM. See if you can execute arbitrary JavaScript or exfiltrate sensitive page contents such as CSRF tokens. Reports of other previously-unknown impacts from content-injection will also be considered.

Previously identified attacks are not eligible for reward (we’ve put a lot of thought into CSP bypasses already). You can find a discussion of known attacks and our attempts to mitigate them here. Attacks against CSP features not used on, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn’t contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you’ve found something cool and novel, report it!

Bounty scope

Submit a vulnerability for GitHub CSP

Recently collected GitHub CSP bounties:

1 avlidienbrunn 1000 pts Mathias Karlsson XHR submitted forms bypass CSP form-action