GitHub has expanded the scope of its existing error reward program. The Microsoft-owned platform has eliminated the limit of its maximum payment under the error reward program. GitHub has updated its five-year security bug reward with a top reward.
For the first time, GitHub removed the maximum limit on the amount paid to security researchers to detect critical errors. Now, security researchers can expect between $ 20,000 and $ 30,000 to report critical errors. GitHub claims that the reward is significantly higher for advanced research.
New rewards structure
GitHub also examines the rewards offered for less critical errors reported in the program. Mild errors will receive between $ 617 and $ 2,000. Medium-gravity errors will receive between $ 4,000 and $ 10,000. For the most serious mistakes, GitHub will offer rewards ranging from $ 10,000 to $ 30,000.
In the official announcement, Phil Turnbull of GitHub said: “We regularly evaluate the amount of our awards compared to our industry colleagues, and we also recognize that it is increasingly difficult for researchers to discover more serious vulnerabilities of GitHub products to be rewarded for their efforts, which is why we have increased the amount of our awards at all levels. ”
The company has also included more products in the eligibility criteria for awards. The first class services hosted on GitHub.com now apply to the reward of errors. New products included in the GitHub Bug Bounty program include GitHub Education, GitHub Learning Lab, GitHub Jobs, GitHub Enterprise Cloud and the GitHub Desktop app. The company has extended the same program for its employee sites, such as githubapp.co and github.net.
Legal barriers
Another important change in the program is that GitHub has eliminated the legal risks to its error reward programs. The company wanted to eliminate the legal risks exposed by security researchers. GitHub has released a new legal agreement on the terms of Safe Harbor for its site policy, which offers clearly established protections.
The platform will not pursue the researchers if they accidentally exceeded the scope of the error reward. The new GitHub policy also states that it will protect researchers from third parties who do not offer the same level of protection of the Safe Harbor.
The words “safe harbor” mentioned on the site say: “To encourage investigation and responsible disclosure of security vulnerabilities, we will not initiate any civil or criminal action, nor will we send an opinion to the police for breach of this policy by accident or in good faith. “
