10 years of the GitHub Security Bug Bounty Program

The GitHub Security Bug Bounty program celebrated its 10th anniversary, highlighting its evolution since its inception in 2014, including increased transparency, expanded scope, and enhanced researcher engagement. Initially launched to improve security through researcher collaboration, the program has progressively broadened its scope to cover more products and services, resulting in a significant increase in submissions and rewards over the years. The program transitioned to the HackerOne platform in 2016, boosting payouts and establishing a Legal Safe Harbor policy to protect researchers. By 2023, GitHub had paid out over $4 million in total rewards, with the highest single reward reaching $75,000. The program continues to grow with initiatives such as private bounty engagements, community events, and a focus on diversity through the Glass Firewall conference. Looking forward, GitHub aims to refine its processes, enhance public disclosures, and offer exclusive opportunities to its VIP community, further strengthening its commitment to security and collaboration.