GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $200 up to $10000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.
You can find the app at https://github.com.
Resources and features within the
TCP ports 80, 443, 22, 9418.
Git services are in scope.
Subdomains are not in scope, e.g. Gist, API, etc. Or anything hosted on the github.io domain.
Obviously, vulnerabilities in user hosted code do not qualify.
|1||1000 pts Teddy Katz Private issue title disclosure via marking as duplicate|
|2||3000 pts Dmitry Repository Service Hooks making non-http requests|
|3||2500 pts Slawomir Brzezinski XSS in commit messages|
|4||2500 pts Сковорода Никита Андреевич User-controlled `class` attribute on some Markdown tags|
|5||1000 pts Antonio Sanso Cross-origin brute-forcing of SAML and 2FA recovery codes|