GitHub builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the Open bounties are not currently eligible for cash rewards.
Avoid spamming GitHub services with large amounts of test data. We operate a number of applications and services to help GitHub employees reach out to our users. Real people at GitHub use these applications and having to sift through piles of test data impairs our ability to interact with our community.
All GitHub products and services not listed on the Open bounties list.
This doesn’t include applications that we recently acquired.
This doesn’t include “sandbox” domains that we use to mitigate the risk of hosting/processing user content.
This does not include content/services that do not belong to GitHub, such as GitHub Pages sites, third party services, or our users’ code.
|1||2500 pts Adam Baldwin GitHub employee GitHub.com tokens exposed via NPM package|
|2||2500 pts Adam Baldwin NPM token for Electron exposed|
|3||5000 pts @zhuowei GitHub Desktop remote code execution|
|4||5000 pts joernchen of Phenoelit GIT LFS code execution|
|5||5000 pts Max Dymond Unintended services exposed to internet due to ACL changes|