A little over three years ago, we launched our Security Bug Bounty Program, a way to reward security researchers who help make GitHub more secure by reporting vulnerabilities in our platform. Today, we’re taking another step to support this type of effort on a much bigger scale. Along with Facebook and the Ford Foundation, we’ve donated $100,000 to the Internet Bug Bounty (IBB) to make the internet safer by catching more vulnerabilities in internet infrastructure and open source software.
The IBB is responsible for awarding over $616,350 for more than 625 valid vulnerabilities in some of the most important software the internet community uses including RubyGems, Ruby, Phabricator, PHP, Python, and OpenSSL—$150,000 was awarded for over 250 vulnerabilities in last year alone. So far, $45,000 of hackers’ bounties have been donated to organizations like the Electronic Frontier Foundation, Hackers for Charity, and Freedom of the Press Foundation.
Guidelines, bounties, and policies are decided by a volunteer panel selected from the security community. The panel will use the $300,000 to expand the scope of the IBB in two ways: a new Data Processing Program to “encompass numerous widespread data parsing libraries as these have been an increasing avenue for exploitation” and an expansion of “coverage of technologies that serve as the technical foundation of a free and open Internet, such as OpenSSL.”
We’re excited to support the IBB’s vision and can’t wait to see this initiative grow.