Microsoft offers up to $30k USD on GitHub vulnerability bounty program

GitHub renews its vulnerability report rewards program

Network security and ethical hacking specialists from the International Institute of Cyber Security report that GitHub, the code hosting platform owned by Microsoft, has made some changes to its vulnerability bounty program. The program, which has been running for five years now, will offer higher rewards and broad legal protections for hackers who choose to participate in it.

GitHub decided to eliminate the maximum amount that an ethical hacker could receive by reporting vulnerabilities in the platform. In a relevant case, a hacker could aspire to receive between $20k USD and $30k USD worth of bounty, although GitHub ensures that an outstanding investigation could receive “a significantly higher amount”.

In general, Github bounty range includes:

  • Between $10k USD and $20k USD for critical vulnerabilities
  • Between $4k USD and $10k USD for medium severity vulnerabilities
  • Between $610 USD and $2k USD for low-risk vulnerabilities

“It’s getting harder for network security researchers to find critical vulnerabilities on GitHub, so we think it’s necessary that they receive rewards in line with their efforts”, says GitHub’s release.

All services hosted under the domain participate in the program, including GitHub Education, GitHub leaning Lab, GitHub Jobs and the GitHub Desktop application. The GitHub Enterprise cloud service is also within the scope of the rewards program.

Finally, GitHub wanted network security experts to stop running some legal risks for participating in the rewards program. The platform decided to add a new set of legal terms to the rewards program to protect researchers determined to find critical vulnerabilities. GitHub is committed not to sue investigators if, by mistake, they exceed the scope of the program, it also offers the same level of protection against third parties.

“To encourage the investigation and disclosure responsible for security vulnerabilities, we shall not undertake civil or criminal actions, nor will we send notices to police authorities for accidental or bona fide violations of this policy”, specifies the new version of GitHub vulnerability bounty program.