Bounty: $200$10000

GitHub.com

Synopsis

GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.

Rewards range from $200 up to $10000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

You can find the app at https://github.com.

Bounty scope

Submit a vulnerability for GitHub.com

Recently collected GitHub.com bounties:

1 not-an-aardvark 1000 pts Teddy Katz Private issue title disclosure via marking as duplicate
2 x-crossfire 3000 pts Dmitry Repository Service Hooks making non-http requests
3 zlamma 2500 pts Slawomir Brzezinski XSS in commit messages
4 ChALkeR 2500 pts Сковорода Никита Андреевич User-controlled `class` attribute on some Markdown tags
5 asanso 1000 pts Antonio Sanso Cross-origin brute-forcing of SAML and 2FA recovery codes