GitHub Copilot

Synopsis

GitHub Copilot uses the OpenAI Codex to suggest code and entire functions in real-time, right from your editor. Copilot is your AI pair programmer!

GitHub Copilot Enterprise is a Copilot plan available for enterprises that use GitHub Enterprise Cloud.

• Copilot Chat
• Copilot pull request summaries
• Copilot knowledge bases

Focus areas

• Vulnerabilities in the official Copilot extension found in the Visual Studio Marketplace
• Escalating to another user’s session that you do not own and accessing their session content
• Bypassing billing functionality
• Bypassing the proxy and escalating one’s access
• Authorization vulnerabilities

Ineligible submissions

The security of code suggested by Copilot

GitHub Copilot is designed to generate the best code possible given the context it has access to, but it doesn’t test the code it suggests, so the code may not always work or even make sense. GitHub Copilot can only hold a very limited context, so it may not make use of helpful functions defined elsewhere in your project or even in the same file. It may also suggest old or deprecated uses of libraries and languages.

For suggested code, certain languages like Python, JavaScript, TypeScript, and Go might perform better than other programming languages. In addition, when converting comments written in non-English to code, there may be performance disparities when compared to English.

Although Copilot suggestions are not part of the Bug Bounty program, you are welcome to report any vulnerable patterns you identify in code suggestions to copilot-safety@github.com. Our blog has more information about our approach to securing code suggestions.

Tokens suggested by Copilot

Any strings suggested by Copilot that resemble tokens are not eligible.

Prototype features

Any Copilot features that are not yet publicly accessible are considered out of scope.

Off topic conversation

Any Copilot chat conversations that are off topic and not programming-related are not eligible.