Story image

GitHub boosts bug bounty program & payouts in 2017 with more to come this year

19 Mar 2018

GitHub’s Security Bug Bounty program paid out more than US$166,000 in 2017 after a significant payout revamp that doubled amounts across the board.

Last month the company marked the fourth year of its program and it says 2017 was its ‘biggest year yet’.

It reviewed and triaged 840 bug submissions, or which 121 were resolved and rewarded. The average payout netted bug reporters US$1376. 

The company says the numbers represent a 15% increase in valid bug reports compared to 48 of 795 incidents resolved in 2016.

GitHub senior manager of security engineering Greg Ose says in a blog post that the total reward payouts rose to $166,495 in 2017 – up from $95,300 in 2016.

“We attribute this to the increased number of valid reports and in October we took time to re-evaluate our payout structure. Corresponding with HackerOne's Hack the World competition, we doubled our payout amounts across the board, bringing our minimum and maximum payouts to $555 and $20,000, bringing our bug bounty in line with the industry's top programs.”

GitHub also conducted a number of other initiatives to boost the Security Bug Bounty program.

One of these was the introduction of GitHub enterprise, which allowed researchers to look at areas specific to enterprise or applications not exposed on GitHub.

“A number of reports impacting our enterprise authentication methods prompted us to not only focus on this internally, but also identify how we could engage researchers to focus on this functionality,” Ose explains.

The company also offered one researcher a grant to research a specific feature or areas of application. Bug bounty rewards also applied.

“During the beginning of the year, we identified a researcher with specialty in assessing troublesome enterprise authentication methods. We reached out and launched our first researcher grant. We couldn't have been happier with the results. It provided a depth of expertise and review that was well worth the extra monetary incentive,” Ose says.

Off the back of its GitHub for Business launch, the company rolled out private bug bounties through a private program on HackerOne.

“We reached out to all researchers who had previously participated in our program and allowed them access to this functionality before its public launch. This added to our internal pre-ship security assessments with review by external researchers and helped us identify and remediate issues before general exposure. With the extra review, we were able to limit the impact of vulnerabilities in production while also providing fresh code and functionality for researchers to look into.”

Finally, the company has continued to develop its HackerOne API client and internal improvements to triage and implement submissions from its bounty reporters.

For the year ahead Ose says, “We'll be launching more private bounties and research grants to gain focus on specific features both before and after they publicly launch. Later in the year, we'll announce additional promotions to continue to keep researchers interested and excited to participate.”

Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.