GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.
You can find the app at https://github.com.
Resources and features within the
TCP ports 80, 443, 22, 9418.
Git services are in scope.
Subdomains are not in scope, e.g. Gist, API, etc. Or anything hosted on the github.io domain.
Obviously, vulnerabilities in user hosted code do not qualify.
|1||5000 pts Abhishek Dharani Claiming an organization invite without proving ownership of the invited email address|
|2||1000 pts Tanner Insufficient authorization check when adding issues to projects|
|3||1000 pts @mishre Bypass organization paid plan billing validation|
|4||1000 pts Teddy Katz Private issue title disclosure via marking as duplicate|
|5||3000 pts Dmitry Repository Service Hooks making non-http requests|