GitHub’s revamped VIP Bug Bounty Program
GitHub’s VIP Bug Bounty Program has been updated to include a clear and accessible criteria for receiving an invitation to the program and more. Learn more about the program and how you can become a Hacktocat, and join our community of researchers who are contributing to GitHub’s security with fun perks and access to staff and beta features!
GitHub’s bug bounty team has had an exciting start to the year. We launched our very own swag store, allowing researchers to earn exclusive bug bounty branded swag as a bonus perk to their earned bounty reward, and held two private beta feature engagements, which brought us great findings by our VIP researchers!
The addition of the swag store came from many conversations and feedback on how we can continue to improve our bug bounty program.In these conversations, we also were inspired to revamp our VIP program, a private program that has been operating for five years, where we privately invite researchers to gain exclusive access based on their contributions in securing GitHub. This revamp includes establishing clearer and more accessible criteria for receiving an invite to join the VIP program as a Hacktocat, more access to beta features, exclusive VIP-only swag, access to engineering and security Hubbers, and more! Let’s break it down.
How can one receive an invite?
A Hacktocat is someone who has consistently contributed to improving the security of GitHub through high-impact, credible reports via our bug bounty program. To receive an invite, a researcher must have:
- Earned at least $20,000 on our program.
- Submitted at least two reports in the last two years.
What are the perks?
Researchers who meet the above criteria unlock an invitation to work directly with GitHub staff, and other researchers, increasing the learning opportunity for more familiarity and understanding across our range of products and features. Specifically, our Hacktocats within the VIP program have direct access to:
- Many beta products and features before they roll out publicly
- GitHub Bug Bounty staff and engineers who are behind the beta features they’re getting access to 😄
- Exclusive Hacktocat swag
Our partnership with talented security researchers from across the community is pivotal in running a successful bug bounty program, so we thank all who continue to support and participate in our program. Your submissions are greatly valued and impactful to ensuring the safety and security of our products, our users, and the community, and we are excited to introduce even more incentives.
For more details regarding the program’s scope, rules, and rewards please visit our website! We look forward to seeing more Hacktocats join the program.
Tags:
Written by
Related posts
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
10 years of the GitHub Security Bug Bounty Program
Let’s take a look at 10 key moments from the first decade of the GitHub Security Bug Bounty program.
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.