GitHub expands bug bounty program and removes maximum award limit

GitHub today beefed up its bug bounty program. The Microsoft-owned company has expanded the program’s scope, increased its reward amounts, and added Legal Safe Harbor terms to its policy. GitHub also revealed that it paid out over $250,000 to security researchers in 2018 through its public bounty program, researcher grants, private bug bounty programs, and a live-hacking event. Of that total, $165,000 was specifically paid out to researchers through the public bug bounty program.

GitHub launched its bug bounty program in January 2014. Over the past five years, the company has grown the program and increased the maximum bounty payout. But now it’s going even further.

Expanded scope and increased rewards

GitHub’s bug bounty program is expanding to cover all first-party services hosted under the github.com domain (GitHub Education, GitHub Learning Lab, GitHub Jobs, and GitHub Desktop), Enterprise Cloud, and all first-party services under the employee-facing githubapp.com and github.net domains. Oh, and it’s increasing the reward amounts at all levels.

The reward amount increases are an acknowledgement that finding security vulnerabilities in GitHub’s products is “becoming increasingly difficult for researchers and they should be rewarded for their efforts.” The new rewards are:

• Critical: $20,000 – $30,000+
• High: $10,000 – $20,000
• Medium: $4,000 – $10,000
• Low: $617 – $2,000

The “+” appended to the $30,000 warrants an explanation. GitHub says it no longer has a maximum reward amount for critical vulnerabilities. $30,000 is a guideline, but the Microsoft-owned company is “reserving the right to reward significantly more for truly cutting-edge research.”

We wondered if Microsoft’s $7.5 billion acquisition of GitHub played a role in the removal of the limit, but a GitHub spokesperson said “No.” Still, it can’t hurt having a parent company with deep pockets.

Legal safe harbor

The last set of changes GitHub is making is based on feedback from security researchers who have participated in the bug bounty program. To keep program participants safe from the legal risks of security research, the company has added Legal Safe Harbor terms to its site policy based on CC0-licensed templates.

The new terms cover three main sources of legal risk:

• Your research activity remains protected and authorized even if you accidentally overstep our bounty program’s scope. Our safe harbor now includes a firm commitment not to pursue civil or criminal legal risk, or support any prosecution or civil action by others, for participants’ bounty program research activities, including good faith violations of the bounty policy.
• We will do our best to protect you against legal risk from third parties who won’t commit to the same level of safe harbor protections. Our safe harbor terms now limit report-sharing with third parties in two ways. We won’t share your identifying information with a third party without your written permission. We also won’t share non-identifying information without notifying you first and getting the third party’s written commitment not to pursue legal action against you.
• You won’t be violating our site terms if it’s specifically for bounty research. For example, if your in-scope research includes reverse engineering, you can safely disregard the GitHub Enterprise Agreement’s restrictions on reverse engineering. Our safe harbor now provides a limited waiver for parts of other site terms and policies to protect researchers from legal risk from DMCA anti-circumvention rules or other contract terms that could otherwise prohibit things a researcher might need to do, like reverse engineering or deobfuscating code.

GitHub is particularly proud of these protections, which it says took months of legal research. “Other organizations can look to these terms as an industry standard for safe harbor best practices — and we encourage others to freely adopt, use, and modify them to fit their own bounty programs,” the company said.