GitHub, the code repository to the stars (and everyone else), is aware that it has vulnerabilities in its massive codebase. This is bad news for GitHub’s millions of users, but not to fear — the company is putting its best hackers on the job.
In a new bug bounty program, GitHub is specifically reaching out to white/gray-hat hackers in the security community to find all the nooks and crannies where bad guys might sneak into its codebase.
Said hackers find the vulnerabilities, they collect the bounty (both cash via PayPal and “points” for the leaderboard — sorry, no flipping Bitcoins), and everybody wins.
Right now, GitHub is seeking “researchers” to poke holes in the GitHub API, Gist (GitHub’s code snippet service), and GitHub.com. Bounty hunters can expect rewards ranging from $100 to $5,000, and people ages 13 and up from around the world (except trade-embargoed/governmentally sanctioned countries such as Cuba and the Sudan) are encouraged to participate.
Wouldn’t that be a fun line item on a teenage resume?
Cash rewards will be made at GitHub’s discretion for open bounties and perhaps for vulnerability reports on GitHub’s other apps, which range across a multitude of platforms.
The rules of the program pretty much follow the “don’t be a d**k” line of thinking: Don’t publicly expose a bug that hasn’t been fixed yet; don’t hack into someone else’s account or compromise other users’ data; don’t mess with scanners, DDoS attacks, or non-technical attacks.
The company will be opening up more bounties as time goes by. Happy hacking!