Back to GitHub Support Contact GitHub

Four years of the GitHub Security Bug Bounty

Last month GitHub celebrated the fourth year of our Security Bug Bounty program. As we’ve done in the past, we’re sharing some details and highlights from 2017 and looking ahead to where we see the program going in 2018.

2017 in review

Last year was our biggest year yet as our Bug Bounty program continued to grow in participation by researchers, program initiatives, and the rewards paid out.

Diving straight into the numbers, we can review the details of this growth. In 2017, we reviewed and triaged a total of 840 submissions to the program. Of these submissions, we resolved and rewarded a total of 121 reports with an average payout of $1,376 (and swag!). Compared to our previous statistics for 2016, this was a significant increase from 48 out of 795 reports being resolved. In 2017, our rate of valid reports increased from 6% to almost 15%.

Our total payouts also saw a significant increase from $95,300 in 2016 to $166,495 in 2017. We attribute this to the increased number of valid reports and in October we took time to re-evaluate our payout structure. Corresponding with HackerOne’s Hack the World competition, we doubled our payout amounts across the board, bringing our minimum and maximum payouts to $555 and $20,000, bringing our bug bounty in line with the industry’s top programs.

2017 initiatives

To accelerate our program’s growth in 2017, we launched a number of initiatives to help engage researchers. Among the changes to the program was the introduction of GitHub Enterprise to the scope of the Bug Bounty program, which allowed researchers to focus on areas of our applications that may not be exposed on or are specific to certain enterprise deployments. In the beginning of 2017, a number of reports impacting our enterprise authentication methods prompted us to not only focus on this internally, but also identify how we could engage researchers to focus on this functionality. To promote a more targeted review of these critical code paths we kicked off two new initiatives beyond our public Bug Bounty program.

Researcher grants

Providing researcher grants is something that has been on our radar since Google launched their Vulnerability Research Grants in 2015. The basic premise is that we pay a fixed amount to a researcher to dig into a specific feature or area of the application. In addition to the fixed payment for the grant, any vulnerabilities identified would also be paid out through the Bug Bounty program. During the beginning of the year, we identified a researcher with specialty in assessing troublesome enterprise authentication methods. We reached out and launched our first researcher grant. We couldn’t have been happier with the results. It provided a depth of expertise and review that was well worth the extra monetary incentive.

Private bug bounty

In March 2017 we launched GitHub for Business, bringing enterprise authentication to organizations on We used this feature launch as an opportunity to roll out a new part of the Bug Bounty program: private bug bounties. Through a private program on HackerOne, we reached out to all researchers who had previously participated in our program and allowed them access to this functionality before its public launch. This added to our internal pre-ship security assessments with review by external researchers and helped us identify and remediate issues before general exposure. With the extra review, we were able to limit the impact of vulnerabilities in production while also providing fresh code and functionality for researchers to look into.

Operational efficiency

Internal improvements to the program have helped us more efficiently triage and remediate submissions from researchers. ChatOps and GitHub-based workflows are core to how we deal with incoming submissions. As soon as new ones arrive, we receive alerts in Slack using HackerOne’s Slack integration. From there, we can triage issues directly from chat, letting the team know which issues are critical and which can wait until later. At the end of our triage workflow, we use ChatOps to issue rewards through HackerOne, so we can close the loop and pay researchers as quickly as possible.

To support these workflows, we’ve continued to build on our Ruby on Rails HackerOne API client and extensively use these and GitHub APIs in our internal processes.

So far, these improvements have made us significantly more efficient. Our average response time in 2017 was 10 hours, valid issues were triaged to developers on average within two days, and bounties were rewarded on average in 17 days. Given the time and effort that researchers dedicate to participating in our program, we feel great about these improvements. And in 2018, we’ll continue to refine our process. We’re always looking for ways to make sure our researchers receive a prompt and satisfactory response to their submissions.

What’s next?

Also in 2018, we’re planning to expand the initiatives that proved so successful last year. We’ll be launching more private bounties and research grants to gain focus on specific features both before and after they publicly launch. Later in the year, we’ll announce additional promotions to continue to keep researchers interested and excited to participate.

Given the program’s success, we’re also looking to see how we can expand its scope to help secure our production services and protect GitHub’s ecosystem. We’re excited for what’s next and look forward to triaging and fixing your submissions this year!

Godot GDC Meetup: Thursday March 22, 2018

Godot GDC Meetup Poster

We’re excited to host the Godot GDC Meetup at GitHub HQ in San Francisco on Thursday, March 22. Juan Linietsky,Lead Developer at Godot Engine, will discuss Godot’s development process and how they work with a community of more than 500 developers.

Leaf Corcoran, Founder of, will talk about deploying Godot games to using command line tools and API endpoints for patching and quering all sorts of data.

Please bring yourselves and your laptops for a night of talks, demos, and conversation. Game developers of all levels are welcome!

Register now

Date: Thursday March 22, 2018
Time: 6:30 pm - 9:30 pm PT
Address: 88 Colin P Kelly Jr St, San Francisco, CA 94107

GitHub GDC Party: March 20

Heading to San Francisco for the Game Developers Conference (GDC) next week? Join us at GitHub HQ on Tuesday, March 20 at 7 pm for our annual GDC Party!

GitHub GDC Party

Our friends from the Global Game Jam will be there celebrating their 10-year anniversary and showcasing a collection of games for you to play. Feel free to bring your laptops and other devices, show off your work, and meet people who love games as much as you do. We’ll supply the drinks, wifi, and Octocat stickers.

Note: GDC badges or proof of registration are required for entry. All ages welcome, but please bring a valid photo ID if you’re over 21 and would like to drink. We recommend showing up early to avoid disappointment—it wouldn’t be the first GDC party to reach capacity quickly.

Date: Tuesday, March 20
Time: 7 pm - 12 am PT
Address: 88 Colin P Kelly Jr St, San Francisco, CA 94107

Patchwork Orlando

Patchwork is headed to Orlando! This event is open to beginners to Git and GitHub and mentors who want to help others learn. We’ll have stickers for everyone, and a little something extra for the mentors, so we hope to see you there.

Canvs Orlando

Special thanks to our partners for the event:

GitHubbers and community mentors will be on hand to walk the attendees through their choice of learning modules:

  • GitHub 101: Introduction to GitHub
  • GitHub 102: Using the GitHub Desktop
  • GitHub 103: Using the Command Line

No coding experience needed

Patchwork is a self-directed, hands-on workshop for learning Git and GitHub. The atmosphere is casual and informal—it’s not an event full of presented tutorials and copious note-taking. You will be able to go at your own pace with the help of a community mentor nearby in case you run into any trouble. Join us for a night of hacking and snacking and make some new friends while you’re at it!

Newcomers to Git and GitHub: you’ll leave with a merged pull request, a square on your contributions graph, and the confidence to get more involved in the open source community.

Mentors: if you’ve ever had a pull request merged, now is your chance to share the love and help someone else create magic. :sparkles:


For: Beginners to Git and GitHub
When? April 11, 2018 6:30-9:30 pm
Where? Canvs: Downtown Orlando, 101 S. Garland Avenue, Suite #108, Orlando, FL 32801 (This venue is wheelchair friendly, and provides gender-neutral restrooms)

If you do not yet have a GitHub account, we ask that you sign up at before you attend the event. It’s fast, easy, and of course, free. This way you’ll be ready to go right out of the gate.

We will provide food and refreshments. If you have any food allergies, please let us know during registration.

The International Conference on Game Jams, Hackathons, and Game Creation Events: Sunday March 18, 2018

International Conference on Game Jams, Hackathons, and Game Creation Events Logo

You’re invited to the third annual International Conference on Game Jams, Hackathons, and Game Creation Events (ICGJ), happening Sunday, March 18, at GitHub HQ in San Francisco.

Organized by Global Game Jam, ICGJ is an interdisciplinary conference for educators, researchers, professionals, and event organizers who organize or participate in game jams and hackathons. Check out the ICGJ website for the complete schedule of papers, presentations, lightning talks, and games being showcased at the event.

Register now

Date: Sunday March 18, 2018
Time: 9 am - 6:30 pm PST
Address: 88 Colin P Kelly Jr St, San Francisco, CA 94107


Discover new ways to build better

Try Marketplace apps free for 14 days

Learn more