GitHub revealed on Tuesday that last year it paid out $165,000 to researchers who took part in its public bug bounty program. Security experts also earned significant amounts of money through GitHub’s private bug bounty programs, researcher grants, and a live hacking event.
The hacking event took place in August in Las Vegas and it resulted in the discovery of 43 vulnerabilities, for which the company paid out nearly $75,000.
GitHub has announced some important changes to its bug bounty program for 2019, including the addition of legal safe harbor terms whose goal is to guarantee that researchers who look for vulnerabilities in its systems will not face legal action.
The company says researchers are safe from legal action even if they accidentally overstep the scope of the bug bounty program, and they don’t have to worry about violating terms of service and policies. For example, the GitHub Enterprise license restrictions prohibit reverse engineering, but reverse engineering will still be allowed if it’s related to finding vulnerabilities for in-scope services.
GitHub also announced that its bug bounty program now also covers GitHub Education, GitHub Learning Lab, GitHub Jobs, the GitHub Desktop application, and GitHub Enterprise Cloud.
“It’s not just about our user-facing systems. The security of our users’ data also depends on the security of our employees and our internal systems. That’s why we’re also including all first-party services under our employee-facing githubapp.com and github.net domains,” the company explained.
Finally, GitHub says it has decided that there will no longer be a maximum reward limit for critical vulnerabilities – it has listed $30,000 as the top limit, but the company says it’s just a guideline. High-severity issues can earn researchers up to $20,000, while medium-severity flaws can be worth as much as $10,000.