GitHub expands its bugbounty program and increases rewards for finding vulnerabilities in the platform’s codebase. In addition, new safe harbor text has been added to the legal requirements to better protect bug hunters.
The most critical vulnerabilities are now subject to a USD 30,000 remuneration directive. Even though the company purchased by Microsoft retains the right to reward significantly more for truly groundbreaking research.
According to Venturebeat, the increased rewards are a recognition for researchers. Finding security vulnerabilities in GitHub’s code would become increasingly difficult. The company therefore wants to reward researchers all the more for their efforts.
617 to 30,000 dollars
Vulnerabilities found in the high category account for a reward of between 10,000 and 30,000 dollars and where there is a medium risk, the researcher is paid between 4,000 and 10,000 dollars. The lowest category still accounts for an amount between $617 and $2,000.
GitHub launched the bugbounty program in 2014 and last year announced that it had already paid out more than $250,000 to security researchers through research grants, bugbounty programs and live hacking events. $165,000 of this was paid out through the public bugbounty program.
To protect Program Participants from the legal risks of a security investigation, the company has added Legal Safe Harbor terms to its site policy, based on CC0-licensed templates.
Legal risk covered
The new conditions cover three main sources of legal risk. In this way, a research activity remains protected and authorised, even if a researcher accidentally exceeds the scope of the premium. GitHub also protects researchers against the legal risk of third parties who do not want to commit themselves to the same safe harbor protection level.
The terms protect security researchers in two ways when sharing reports with third parties: identifying information is not shared with a third party without written permission, and non-identifiable information is not shared without first notifying the researcher. In addition, this written undertaking by the third party requires that it will not take legal action against the investigator.
Finally, GitHub states that investigators should not violate the site terms if their activity is specifically intended for bugbounty research. For example, if a study includes reverse engineering, the limitations of the GitHub Enterprise agreement on reverse engineering can simply be disregarded.
Industry standard
GitHub is particularly proud of the renewed conditions. It would have been preceded by months of legal research. The company states that these conditions can be considered as an industry standard. Other organizations are therefore encouraged to freely adopt them or adapt them to their own bugbounty programs.
Related: EU funds bugbounty programme for 14 open source projects
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.