GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.
You can find the app at https://github.com.
Resources and features within the
TCP ports 80, 443, 22, 9418.
Git services are in scope.
Subdomains are not in scope, e.g. Gist, API, etc. Or anything hosted on the github.io domain.
Obviously, vulnerabilities in user hosted code do not qualify.
|1||1000 pts Antonio Sanso Creating verified commits for arbitrary emails using web commits|
|2||555 pts Jonathan Walker "Require review from Code Owners" bypass using unverified email addresses|
|3||1000 pts Abss CSRF in opting out of organization invites|
|4||1000 pts Kristóf Jakab Extending the scopes of an SSO-authorized personal access token without a SAML session|
|5||1000 pts Borja Berastegui Localhost same-site request forgery via GitHub Webhooks|