GitHub, the Microsoft-owned code hosting platform, made headlines as it revealed that it had paid out a substantial sum of more than $1.5 million in bug bounties for uncovering 364 vulnerabilities throughout 2022.
This noteworthy achievement pushed the total bug bounty rewards to nearly $4 million since the program’s inception in 2016. A significant highlight of this effort was the distribution of over $1.57 million in rewards between February 2022 and February 2023. GitHub’s bug bounty program, which has been operating on the HackerOne platform since 2016, has become a crucial element in enhancing cybersecurity and rewarding ethical hackers.
Last year, GitHub encountered a surge in vulnerability reports, amassing over 2,000 submissions and granting bounties for 364 security flaws. Remarkably, the peak activity was observed in June 2022 during the H1-512 live hacking event held in Austin. The event involved the participation of 45 in-person and remote researchers, with nearly half of the submitted vulnerabilities validated and rewarded with close to $700,000 in bug bounties.
GitHub acknowledged the importance of such events in fostering meaningful connections between its team and the security researchers, transcending the virtual realm.
In its ongoing commitment to cybersecurity, GitHub took further steps by initiating a limited disclosure of vulnerability reports, particularly for GitHub Enterprise Server (GHES) and open-source projects with CVE identifiers.
The platform outlined plans to unveil more reports through HackerOne, demonstrating transparency and accountability. In line with its dedication to attracting a wider range of ethical hackers, GitHub expressed its intent to expand its rewards beyond monetary compensation, offering non-monetary incentives to incentivize participation. The platform urged researchers of all levels to contribute, emphasizing the collective impact of their efforts in ensuring the safety and security of its products, users, and the broader community.
