Gist is one of the first products launched by GitHub after GitHub.com. It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.
You can find the app at https://gist.github.com.
Resources and features within the
TCP ports 80, 443, 22, 9418.
Git services are in scope.
|1||2000 pts Teddy Katz Insufficient token scope checks for Gist access via Git|
|2||500 pts Kamil Hismatullin Gist archive download content spoofing|
|3||500 pts Ershad Kunnakkadan Disclosure of Gist forks turned secret|
|4||400 pts Alex Suraci Gists deleted on web were still available via git operations|
|5||2000 pts José Miguel Parrella Improper restriction of Gist subdomain routing|