GitHub builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the Open bounties are not currently eligible for cash rewards.
Avoid spamming GitHub services with large amounts of test data. We operate a number of applications and services to help GitHub employees reach out to our users. Real people at GitHub use these applications and having to sift through piles of test data impairs our ability to interact with our community.
All GitHub products and services not listed on the Open bounties list.
This doesn’t include applications that we recently acquired.
This doesn’t include “sandbox” domains that we use to mitigate the risk of hosting/processing user content.
This does not include content/services that do not belong to GitHub, such as GitHub Pages sites, third party services, or our users’ code.
|1||500 pts Pouya Darabi Joining the Developer Program without a paid plan|
|2||500 pts Himanshu Mehta DLL hijacking in Git Large File Storage (LFS) installer|
|3||500 pts Itzik Naim Exposed SNMP service|
|4||500 pts Itzik Naim Unrestricted registration to demonstration CI service|
|5||200 pts Kieran Huggins XSS in flight-manual.atom.io|