Bounty: $555$20,000

GitHub Gist


Gist is one of the first products launched by GitHub after It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at

Bounty scope

Submit a vulnerability for GitHub Gist

Recently collected GitHub Gist bounties:

1 not-an-aardvark 2000 pts Teddy Katz Insufficient token scope checks for Gist access via Git
2 kamilhism 500 pts Kamil Hismatullin Gist archive download content spoofing
3 ershad 500 pts Ershad Kunnakkadan Disclosure of Gist forks turned secret
4 vito 400 pts Alex Suraci Gists deleted on web were still available via git operations
5 bureado 2000 pts José Miguel Parrella Improper restriction of Gist subdomain routing