Seven years of the GitHub Security Bug Bounty program

Since its launch in 2014, GitHub's Security Bug Bounty Program has become a crucial element in enhancing the security of GitHub's software, with significant contributions from security researchers and the bug bounty community. The program, which saw its busiest year from February 2020 to February 2021, awarded $524,250 for 203 vulnerabilities, increasing the total rewards to over $1.5 million since joining HackerOne in 2016. Notably, the program mitigated a universal open redirect vulnerability that had the potential to compromise the OAuth flow of Gist users, showcasing the creativity and expertise within the community. Additionally, GitHub became a CVE Number Authority (CNA), allowing it to issue CVEs for vulnerabilities in GitHub Enterprise Server, which aids in communicating updates and prioritizing upgrades for customers. The company also expanded its private bug bounty programs to address security in new and beta products, such as GitHub Pages and GitHub Enterprise Server 2.22, ensuring any vulnerabilities are addressed before public release. Looking forward, GitHub continues to invest in its security initiatives, including the formation of a new team dedicated to the bug bounty program and the development of additional private programs, emphasizing the importance of collaboration for improving platform security.