Bug bounties have transformed the way enterprise tech companies think about security, and now that it’s part of Microsoft, GitHub is upgrading its program.
Security researchers who find bugs in GitHub’s code will now be eligible for bigger rewards and will no longer bump up against a maximum reward amount should they find a real showstopper, GitHub plans to announce Tuesday. The software-development portal will also expand the program to cover any “first-party services” under the Github umbrella, including GitHub Education and GitHub Enterprise Cloud.
More and more big tech companies are embracing the concept of bug bounties, where companies pay hackers to find and detail security holes in their software. If they are properly identified and disclosed in a responsible manner, bug bounties can be quite lucrative; security researchers have been awarded $31 million in recent years as these programs have become more popular, according to HackerOne, and GitHub paid $250,000 to responsible hackers in 2018.
GitHub now plans to pay between $20,000 and $30,000 for bugs deemed “critical” security flaws, and will increase the rewards for identifying lower-level bugs as well. The company is also expanding legal protections for researchers that report security flaws and plans to make it easier to report bugs while reducing the length of time needed to respond to bug finders.