After distributing more than $ 165,000 in developer awards in 2018, GitHub has expanded its bounty reward program. The company not only raised the premiums amounts but also made changes to the terms of service to protect programmers from legal risks.
For starters, GitHub has deleted the Bug Bounty payout ceiling. The new table rewards developers according to the level of complexity of the bug: Low ($ 617 to $ 2,000), Medium ($ 4,000 to $ 10,000), High ($ 10,000 to $ 20 thousand) and Critic (US $ 20 thousand to US $ 30 thousand and beyond).
The program covers all primary services hosted under the github.com domains (GitHub Education, GitHub Learning Lab, GitHub Jobs, and GitHub Desktop), Enterprise Cloud, githubapp.com and github.net. To participate, the programmer can not be from one of the countries from which the United States has issued export sanctions or other trade restrictions, such as Cuba, Iran, North Korea, Sudan, and Syria.
Some bugs have been classified as ineligible, so it is important to always check the list released by GitHub before submitting your application. Also, non-technical attacks, such as social engineering, phishing, or physical attacks against employees, users, or platform infrastructures for bugs, are not allowed.
Bug Bounty changes came in response to feedback from security researchers who participated in the program. This also includes new “Legal Safe Harbor” terms that are included with your site policy based on CC0 licensed models. GitHub now commits, for example, not to support any third party civil suit or action for the rewards program research activities.
The platform also will not share the identifying information of Bug Bounty participants with third parties without their written permission. “We also do not share non-identifying information without first notifying you and obtaining a written commitment from a third party not to take legal action against you,” the new document states.