Software code development service Github has introduced a bug bounty programme.
The service, which serves both commercial and open source projects, will offer bounties up to $5,000 and be paid dependant on risk and potential impact to its users.
Launching the programme, it said in a blog post: “For example, if you find a reflected XSS that is only possible in Opera, which is [less than] two per cent of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, which accounts for [more than] 60 per cent of our traffic, will earn a much larger reward.”
It said that the programme is being launched “to better engage with security researchers” as researchers find and report vulnerabilities through its responsible disclosure process. Bounties will be paid for bugs found in GitHub API, GitHub Gist and GitHub.com.
“Our users’ trust is something we never take for granted here at GitHub. In order to earn and keep that trust we are always working to improve the security of our services. Some vulnerabilities, however, can be very hard to track down and it never hurts to have more eyes,” it said.
Drew Sing, at bug bounty brokers Bugcrowd, said: “As a recognised leader in source control and the de facto resume for developers, Github’s bug bounty program helps reaffirm the value in crowd sourced security programs. It’s another win for security researchers, who can submit bugs through a controlled process managed by Github’s security team.
“It’s great to see Github acknowledging security researchers between the ages of 13-18 as well. In the new age of crowd sourced skills, age shouldn’t be a restricting factor as long as it’s done in a responsible manner.”
