GitHub’s fifth annual Bug Bounty program has expanded the scope and rewards for security bugs found in its products.
GitHub’s security bug bounty program in 2019 includes all first-party services hosted under the github.com domain, including GitHub Enterprise Cloud, GitHub Education, GitHub Learning Lab, GitHub Jobs and the GitHub Desktop application. GitHub Enterprise Cloud combines what was formerly known as GitHub Business Cloud, with GitHub Enterprise Server, formerly known as GitHub Enterprise.
GitHub has steadily expanded the list of products and services that are eligible for reward in its security bug bounty program. GitHub Enterprise Server has been in the program’s scope since 2016, but expansion to Enterprise Cloud will further increase security for enterprise customers, said Philip Turnbull, a senior application security engineer at GitHub.
In addition, GitHub increased its reward amounts at all levels and no longer caps its reward amounts for critical vulnerabilities, Turnbull said. The reward for any critical vulnerability found ranges from $20,000 to more than $30,000. The company also bumped up payouts for high-level vulnerabilities ($10,000 to $20,000), medium-level vulnerabilities ($4,000 to $10,000) and low-level vulnerabilities ($617 to $2,000).
Last year, GitHub paid out more than $250,000 to researchers who found bugs in the company’s software, up from $166,495 in 2017 and $95,300 in 2016. From its public security bug bounty program in 2018, GitHub paid out two critical-severity $20,000 rewards and six high-severity $10,000 awards. All other submissions were categorized as low- or medium-severity, Turnbull said.
Last August, GitHub took part in HackerOne’s H1-702 live-hacking event and rewarded nearly $75,000 for 43 vulnerabilities that participants uncovered. This included five high-severity vulnerabilities in the GitHub.com services and one critical vulnerability in GitHub Enterprise Server.
GitHub also ran a private bug bounty program with the public beta of its GitHub Actions release, and researchers uncovered several low- and medium-severity vulnerabilities in GitHub Actions, Turnbull said.
Torsten Volkanalyst, Enterprise Management Associates
The bug bounty program not only shores up the GitHub source code, it brings additional resources to bear and strengthens the company’s relationship with the security research community, Turnbull said. GitHub’s security team constantly works to identify and resolve security issues, but the added layer of protection from white hat researchers helps GitHub further secure its services for users.
One result is that GitHub has reduced its average time to resolve vulnerabilities from 16 days to six days, Turnbull said.
Meanwhile, also for 2019, GitHub added a new set of Legal Safe Harbor terms to its policy to ensure researchers and developers remain safe from legal risks of security research, such as reverse engineering the technology, accidentally overstepping the security bug bounty program’s scope or violating the site’s terms.
Bug bounties boost cred, for a cost
“You use this type of program to find out which developers you should hire,” said Torsten Volk, an analyst at Enterprise Management Associates, in Boulder, Colo.
“In 2018, there were eight successful bounty hunters, taking home an average of $30,000 from GitHub,” he said. “These are exactly the guys I want to invite to job interviews.”
From a marketing perspective, GitHub spends $200,000 to $300,000 in 2019 on bounties to say that GitHub Enterprise Cloud is battle hardened, and that’s a worthwhile return, Volk said. It is cheaper to find security issues in a bounty competition than to have them exploited by the bad guys, he said.
Overall, security bug bounty programs prove their value by enabling software providers to find and resolve bugs before their customer base even knows they exist. These programs have become invaluable as companies work to enhance their security capabilities. GitHub’s security bug bounty program has continued to grow in terms of the number of researchers involved, bugs submitted and thus rewards paid out. The company also expanded the scope of products covered under the program. Several major companies encourage users to find bugs for them.
For instance, last month, Microsoft’s Security Response Center launched a bug bounty program for the company’s Azure DevOps service. The program offers rewards up to $20,000 to security bug bounty hunters who find vulnerabilities in Azure DevOps online services and the latest release of Azure DevOps server.