GitHub Credentials

Synopsis

GitHub, Inc. uses a mix of our own physical infrastructure, cloud platforms and third-party services to keep everything running smoothly. Keeping credentials and access tokens secure for these resources is paramount to the security of our employees and users.

Please review our guidance for handling PII before investigating credentials allowing access to GitHub, Inc resources. The reward amount is based on the impact of the leaked credential which will be determined by the GitHub Security team.

Focus areas

Ineligible submissions

Credentials which have been detected by GitHub's Token Scanning feature

GitHub’s Token Scanning feature automatically detects credentials accidentally committed to repositories for a number of service providers. Credentials for GitHub, Inc resources that have already been found via this feature are ineligible for reward.

Submit a vulnerability for GitHub Credentials

Recently collected GitHub Credentials bounties:

1 evilpacket 2500 pts Adam Baldwin GitHub employee GitHub.com tokens exposed via NPM package
2 evilpacket 2500 pts Adam Baldwin NPM token for Electron exposed
3 kyprizel 2500 pts kyprizel Credentials disclosed in source code
4 koenrh 1000 pts Koen Rouwhorst World-readable S3 bucket