GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $200 up to $10000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.
You can find the app at https://github.com.
Resources and features within the
TCP ports 80, 443, 22, 9418.
Git services are in scope.
Subdomains are not in scope, e.g. Gist, API, etc. Or anything hosted on the github.io domain.
Obviously, vulnerabilities in user hosted code do not qualify.
|1||1000 pts @mishre Organization member can change organization visibility for other members|
|2||600 pts Ioannis Kakavas SAML Response attribute not revoked to prevent replay attacks|
|3||3000 pts yasin Unauthenticated organization SAML recovery code download|
|4||500 pts kyprizel HTTP header injection in Git proxy|
|5||2500 pts kyprizel Denial of service in babeld|