GitHub is celebrating another record year for ours Security Bug Rewarding Program in 2021! We are pleased to announce that we recently paid $ 2,000,000 in total payments to researchers, just two years after we crossed the $ 1,000,000 mark in 2019. Over the past year, we have paid over $ 800,000 in total prizes for our programs. We believe that the foundation of a successful security bug rewards program is the partnership with talented security researchers from across the community, so we thank everyone who participated in our rewards program over the past year and years.
Security is at the heart of GitHub’s mission, and last year we announced a new in-house team dedicated to the implementation and growth of our bug reward program. Welcoming this team, focused on community engagement, the work and growth of our program, in our product engineering organization is an integral part of the continued growth and maturity of our award program. In this post, we look forward to sharing with you some of the amazing accomplishments we made with the Bounty community last year.
As we look forward to the rest of 2022, we are also excited to share that we will be hosting a live hacking event with HackerOne in June 2022. More details below.
Highlights from 2021
In just ten short months since we set up our dedicated internal team for bug rewards, we have quickly surpassed our 2021 records. Here are some important highlights from February 2021 to February 2022:
- Awarded $ 803,769 in prizes for 235 vulnerabilities, bringing us $ 2,355,773 total prizes through HackerOne in 2016.
- We received 1363 applications in our public and private programs, and January 2022 was our most popular month, receiving 149 applications.
- Awarded our highest ever single prize of $ 50,000 in November 2021.
- Coinciding with over $ 64,000 in donations from researchers’ awards, a total of $ 128,234 in donations to various charities (learn more about our donation program here).
- We have improved our response time by one hour since 2020, bringing the average time for the first response to 12 hours.
- We increased the participants in our program by 21% and recorded an increase of 18% in the reports for the first time.
Favorite bug of 2021
Applications for our prize program continue to impress us. Here is a closer look at one of the most interesting proposals we received in 2021.
Crossing the road
On July 2, 2021, we received a GitHub Enterprise Server (GHES) road crossing vulnerability report.
The reported vulnerability when crossing the road in GHES arose during the construction of a site on GitHub Pages. GitHub Pages allow users to customize their site with a range of configuration options. These user-controlled configuration options were not limited enough and allowed the attacker to use the crawl to read files in the GHES instance. To exploit this vulnerability, an attacker will need permission to create and build a GitHub Pages site on a GHES instance.
We fixed the problem and assigned CVE-2021-22867 and CVE-2021-22868. CVE-2021-22868 was issued after a workaround for CVE-2021-22867 was discovered, which still allowed the road to be crossed with a different payload.
The vulnerability affected all versions of GitHub Enterprise Server before 3.1.8 and was fixed in 3.1.8, 3.0.16 and 2.22.22.
Explorer, yvvdwf, not only reported a fantastic initial finding, but also helped test the correction when it was available. This testing and analysis of the options also led us to find a bypass to our initial correction. In the end, the discovery allowed us to further protect our product. For their constant efforts, we gave yvvdwf a bonus for helping us test another prize for their further discovery.
As we expand and develop our products and services at GitHub, we also continue to add new areas of focus to our award range. For example, this year we added npm to our scope after introducing the product to the program through a private award. We were grateful for the success of the program, which led to the discovery of three critical vulnerabilities, and will continue to invest in private bonuses with targeted focus areas as part of our overall security investment.
In addition, we will continue to identify new ways to stimulate researchers in our program. In addition to cash prizes, we are also focusing on introducing more non-cash prizes to recognize reports that do not meet our payment criteria. We understand that there are more ways to reward researchers, and by creating different awards for different research motives, such as money or recognition, we can continue to better promote relationships with our researchers and provide recognition for their work.
And one last thing: we are excited to announce that we will be hosting a live hacking event in June 2022 with HackerOne. We find great value in spending time with our community and are excited to host our first GitHub-focused event. We’ve partnered with HackerOne over the past few months to plan an exciting return to events that support both personal and remote participation. Although the event is restricted, we recommend that you visit it for information on how to be invited to future live hacking events.
As we look forward to the ninth year of GitHub’s bug reward program, we plan to continue to improve our program to ensure we provide the best experience for our researchers and engineers. In 2023, you can expect improvements in response time, participation in our community of hackers, and continuous review and competitive rewards for our researchers.
This was a really exciting year for our team! We have some impressive plans for the next year of our program and we look forward to communicating with our participants and reviewing their applications.
We encourage researchers at all levels to submit reports to our bug rewards program. Your statements are highly valued and influential in ensuring the safety and security of our products, our users and the community. For more details on the scope of the program, rules and prizes, please Visit our website.
Thanks again to all the hackers who participated in the program. Nice hacking!