Dependabot powers GitHub’s automated security fixes. This feature allows GitHub users to automatically update vulnerable dependencies. The core logic of Dependabot is open-source and an overview of the architecture is available.
The dependency update jobs are designed to execute arbitrary code. Update jobs run in a sandbox designed to execute untrusted code and prevent access to private networked resources or other users’ data. Escaping the sandbox to access private networked resources or other user’s data is a vulnerability and eligible for reward.