show image

Github is increasing the value of its bug bounties

Github has unveiled plans for a major expansion of its bug bounty programme in an attempt to crack down on vulnerabilities in its code.

The code repository, which was acquired by Microsoft last year, has raised the amount of money it hands out for each category of bug severity.

High severity flaws secure researchers up to $20,000 and critical flaws up to $30,000, although Github said it reserved the right to hand out significantly more money for “truly cutting-edge research”.

“We regularly assess our reward amounts against our industry peers,” said Github’s Phil Turner in a blogpost. “We also recognise that finding higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers and they should be rewarded for their efforts.”

The organisation paid out a total of $250,000 to researchers last year, $165,000 of which was through its public bug bounty programme and the rest through a private programme and researcher grants.

As well as reducing the size of awards researchers can receive, Github has established new legal protections for those who engage in the programmes, adding a “robust set of Legal Safe Harbor terms” to its site.

“Your research activity remains protected and authorized even if you accidentally overstep our bounty program’s scope,” said Turner. “Our safe harbor now includes a firm commitment not to pursue civil or criminal legal action, or support any prosecution or civil action by others, for participants’ bounty program research activities.”

The expansion of the programme means that researchers will now also be rewarded for finding vulnerabilities in “all first party services hosted under our github.com domain”, the company said, including GitHub Education, GitHub Learning Lab, GitHub Jobs, and GitHub Desktop application.

Microsoft’s proposed acquisition of Github prompted alarm in some quarters of the developer community last year. But Jim Zemlin, the director of the Linux Foundation, dismissed fears that the US tech giant was engaged in a “sinister plot” to acquire the 70 million open source projects Github hosts.

“Most of the important projects on GitHub are licensed under an open source license, which addresses intellectual property ownership,” he added. “The trademark and other IP assets are often owned by a non-profit like The Linux Foundation… Microsoft has the means and the expertise to make GitHub better.”