Github has officially launched their bug bounty program, the original scope covers the GitHub API, gist and the Github site (only the sub-domains owned by GitHub). Submitted vulns are recognized based on risk and potential impact to users. GitHub is offering a bounty range of $100 – $5000 as they engage security researchers in responsible disclosure.
To make the process fun, a leaderboard has been put up where researchers earn some point value based on each submitted vulnerability. Scores on the leaderboard depend on a good writeup of the vuln and functional proof-of-concept code. Already on the leaderboard are users @joernchen (broken authentication bug – write up here) and @ahoernecke (access control bug).
Eligible bug classes:
- Broken Authentication or Session Management
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Injection
- Insecure Direct Object Reference
- Missing Function Level Access Control
- Security Misconfiguration
- Sensitive Data Exposure
- Unvalidated Redirect or Forward
- Using Components with Known Vulnerabilities
- Other – privilege escalation and other interesting bugs
Submission guidelines and terms are listed on the Github Bug Bounty site. Researchers under 13 years are not eligible to participate, although those between 13 and 18 may submit findings and receive payment through guardians. If you reside in any country upon which the US has imposed trade sanction (Cuba, Iran, N. Korea, Sudan, Syria), you are also out of luck. For anyone else who’s interested, you can submit a bug today and get some “cold hard cash”.