Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Github Ups Maximum Bug Bounty Reward to $10,000

steven36

By steven36
in Security & Privacy News

Recommended Posts

steven36

steven36

Posted
Posted

Developer platform Github has increased its bug bounty for security researchers, doubling the maximum reward from $5000 to $10,000 in a bid to attract more interest.

qabD2ly.png

The GitHub Security Bug Bounty has been going for a year now and resulted in the discovery of 73 previously unknown security vulnerabilities in the site.

Github security engineer, Ben Toews, gave a brief recap in a blog post:

“Of 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications. 33 unique researchers earned a cumulative $50,100 for the 57 medium to high risk vulnerabilities they reported.”

Top submitter is Aleksandr Dobkin (@adob), who has accrued a whopping 23,750 points.

He uncovered a variety of problems in the platform including a persistent DOM based cross-site scripting vulnerability, which relied on a previously unknown Chrome browser bug, allowing Github’s content security policy to be bypassed.

Researchers who find flaws in Github are encouraged to send them to the platform’s security team for review.

The business of vulnerability disclosure has become a contentious issue of late after a very public dispute between Google and Microsoft.

The latter frequently refers to “responsible disclosure” – that is informing the affected vendor privately and waiting for a fix to be issued before going public with the details.

However, there are no universally agreed norms on exactly how long a vendor should be allowed to take to fix a specific vulnerability.

Many, including Google’s Project Zero team, reckon that flaws should be fixed as soon as possible to avoid the chance of cyber-criminals discovering and exploiting the same holes.

When Google’s strict 90-day limit expired it released details of a Windows flaw earlier this month just two days before it was due to be fixed in Microsoft’s Patch Tuesday – prompting criticism from some quarters and an angry response from Redmond.

Google itself tripled the maximum bug bounty reward from $5000 to $15,000 last September, and earlier this week announced it had handed out over $80,000 to researchers to help fix holes in Chrome 40.

Source

Link to comment
Share on other sites
  • Views 890
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...