Dependabot powers GitHub’s automated security fixes. This feature allows GitHub users to automatically update vulnerable dependencies. The core logic of Dependabot is open-source and an overview of the architecture is available.

Focus areas

Ineligible submissions

Arbitrary code execution in dependency update jobs

The dependency update jobs are designed to execute arbitrary code. Update jobs run in a sandbox designed to execute untrusted code and prevent access to private networked resources or other users’ data. Escaping the sandbox to access private networked resources or other user’s data is a vulnerability and eligible for reward.

Submit a vulnerability for Dependabot