Data Security

Microsoft offers up to $30k USD on GitHub vulnerability bounty program

GitHub renews its vulnerability report rewards program

Network security and ethical hacking specialists
from the International Institute of Cyber Security report that GitHub,
the code hosting platform owned by Microsoft,
has made some changes to its vulnerability bounty program. The program, which
has been running for five years now, will offer higher rewards and broad legal
protections for hackers who choose to participate in it.

GitHub decided to eliminate the maximum amount
that an ethical hacker could receive by reporting vulnerabilities in the
platform. In a relevant case, a hacker could aspire to receive between $20k USD
and $30k USD worth of bounty, although GitHub ensures that an outstanding
investigation could receive “a significantly higher amount”.

In general, Github bounty range includes:

  • Between
    $10k USD and $20k USD for critical vulnerabilities
  • Between
    $4k USD and $10k USD for medium severity vulnerabilities
  • Between
    $610 USD and $2k USD for low-risk vulnerabilities

“It’s getting harder for network
security
researchers to find critical vulnerabilities on GitHub, so we
think it’s necessary that they receive rewards in line with their efforts”,
says GitHub’s release.

All services hosted under the domain GitHub.com
participate in the program, including GitHub Education, GitHub leaning Lab,
GitHub Jobs and the GitHub Desktop application. The GitHub Enterprise cloud
service is also within the scope of the rewards program.

Finally, GitHub wanted network security experts
to stop running some legal risks for participating in the rewards program. The
platform decided to add a new set of legal terms to the rewards program to
protect researchers determined to find critical vulnerabilities. GitHub is
committed not to sue investigators if, by mistake, they exceed the scope of the
program, it also offers the same level of protection against third parties.

“To encourage the investigation and disclosure
responsible for security vulnerabilities, we shall not undertake civil or
criminal actions, nor will we send notices to police authorities for accidental
or bona fide violations of this policy”, specifies the new version of GitHub vulnerability
bounty program.

To Top

Pin It on Pinterest

Share This