Six years of the GitHub Security Bug Bounty program

GitHub's Security Bug Bounty program has reached significant milestones, having paid over $1,000,000 to researchers since transitioning to HackerOne in 2016, with $590,000 of that awarded in the last year alone. The program has seen a 40% increase in submissions, maintaining an average response time of 17 hours. Notable vulnerabilities discovered include an OAuth flow bypass and remote code execution through command injection, both of which were swiftly addressed. The scope of the bug bounty has expanded with new features like GitHub Actions and mobile applications, and live-hacking events like H1-702 have resulted in significant payouts for critical findings. GitHub's private bug bounty programs allow for early detection of vulnerabilities in upcoming features, and the Security Lab bounty program encourages community contributions to enhance the security of open-source software globally.