GitHub today launched the GitHub Bug Bounty program “to better engage with security researchers.” In short, the company will pay between $100 and $5,000 for each security vulnerability discovered and responsibly disclosed by hackers.
The program currently covers the GitHub API, GitHub Gist, and GitHub.com. GitHub says its other Web properties and applications are not part of the program, but it says vulnerabilities found “may receive a cash reward at our discretion.”
The exact amount paid out for each bounty will be determined by GitHub “based on actual risk and potential impact to our users.” In short, the bigger the potential scope and the bigger the severity of the issue, the larger the payout.
The company offers the following example:
If you find a reflected XSS that is only possible in Opera, which is < 2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, which accounts for > 60% of our traffic, will earn a much larger reward.
That being said, even spotting a very low-level bug is worth disclosing for the extra cash. Not only are you getting paid for your hard work, but you’re making the Web safer in the long-run.
“Our users’ trust is something we never take for granted here at GitHub,” the company writes. “In order to earn and keep that trust we are always working to improve the security of our services. Some vulnerabilities, however, can be very hard to track down and it never hurts to have more eyes.”
Bug bounty programs are becoming more and more popular because they work. The damages caused by exploited bugs are much greater than simply paying security researchers for finding them first.
See also – Google begins offering financial rewards for proactive security patches made to select open-source projects and Microsoft expands $100,000 bug bounty from just security researchers to groups, responders, and forensic experts
Top Image Credit: Tracy Olson