Web-based hosting service GitHub has decided to increase both the potential reward amounts and scope of its bug bounty program.

On 19 February, GitHub announced its decision to raise its reward amounts. Security researchers can now expect to earn a minimum of $617 for reporting a low-severity vulnerability in the service’s products. On the other end of the spectrum, bounty hunters will receive a reward of at least $30,000 for disclosing a critical-level flaw, though the prize’s amount could be even higher.

GitHub explains why it removed the maximum reward limit from its bug bounty program in a blog post:

Our broad ranges have served us well, but we’ve been consistently impressed by the ingenuity of researchers. To recognize that, we no longer have a maximum reward amount for critical vulnerabilities. Although we’ve listed $30,000 as a guideline amount for critical vulnerabilities, we’re reserving the right to reward significantly more for truly cutting-edge research.

This explanation coheres with the company’s use of other bug bounty programs’ reward structures as well as the growing difficulty of finding critical vulnerabilities in GitHub’s products to revise its payout limits.

The hosting service didn’t stop there, however. It also announced another expansion of the products and services covered under its bug bounty program. As a result, security researchers can now test all first-party services provided under the github.com domain including GitHub Education, GitHub Learning Lab, GitHub Jobs and the GitHub Desktop application. They can also explore the service’s Enterprise Cloud.

Those who are interested in participating in GitHub’s program, which now comes with an expanded set of Safe Harbor legal terms, can find out more information by visiting the service’s bug bounty page.

GitHub’s vulnerability reward frameworks is one of more than a dozen essential bug bounty programs with which security researchers should (Read more...)