GitHub started its Security Bug Bounty program last year in an effort to find unknown security vulnerabilities in GitHub applications. As part of the program, 57 previously unknown security vulnerabilities in GitHub applications have been found and fixed. There were 1,920 submissions in the past year by researchers worldwide, 869 warranted further review, helping GitHub to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications.
The top submitter, @adob, reported a persistent DOM based cross-site scripting vulnerability, relying on a previously unknown Chrome browser exploit that allowed GitHub Content Security Policy to be bypassed. The second-most-prolific submitter, @joernchen, reported a complex vulnerability in the communication between two back-end GitHub services that could allow an attacker to set arbitrary environment variables.
Double the money now
GitHub is now doubling the maximum payout for its program to $10,000 from $5,000 for submissions reporting unknown security vulnerabilities. The increased amount kicks off the program’s second year. Last year 33 unique researchers earned a cumulative $50,100 for the 57 medium to high risk vulnerabilities reported.
“If you’ve found a vulnerability that you’d like to submit to the GitHub security team for review, send us the details, including the steps required to reproduce the bug,” said GitHub Application Security Engineer Ben Toews, in a blog post. “You can also follow @GitHubSecurity for ongoing updates about the program.”
GitHub’s other Web properties and applications are not part of the program, but vulnerabilities found may receive a cash reward at the company’s discretion. The program prohibits the use of automated penetration testing tools, the exploitation of any found vulnerabilities to access another user’s accounts or data, and the use of non-technical attacks such as social engineering or phishing.
In addition, GitHub maintains that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub.
GitHub’s kept small the list of products and the variety of the exploits it offers bounties for. Security researchers can find bug on bugs in the GitHub API, GitHub Gist (GitHub’s code-snippet sharing service), and the GitHub.com website.