1. IT-Security >
  2. Cyber Security Nachrichten >
  3. GitHub Paid $166,000 in Bug Bounties in 2017


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

GitHub Paid $166,000 in Bug Bounties in 2017

RSS Kategorie Pfeil IT Security Nachrichten vom | Quelle: feedproxy.google.com Direktlink öffnen

Git repository hosting service GitHub paid a total of $166,495 in rewards in 2017 to security researchers reporting vulnerabilities as part of its four year old bug bounty program.

Total payouts more than doubled compared to the $81,700 paid in 2016 and were nearly equal to the total bounties paid during the first three years of the program: $177,000. During the first two years of the program, the company paid $95,300 in bug bounties.

Throughout the year, the company received a total of 840 submissions to the program, but resolved and rewarded only 121 of them (15%). In 2016, GitHub rewarded 73 of the 795 valid reports it received, with only 48 submissions being deemed high enough to appear on bug bounty program’s page.

The number of valid reports fueled the increase in total payouts and also resulted in GitHub re-evaluating its payout structure in October 2017. Thus, the bug bounties were doubled, with the minimum and maximum payouts now at $555 and $20,000.

With the program continuously growing participation by researchers, program initiatives, and the rewards paid out, 2017 proved the biggest year yet, GitHub’s Greg Ose points out.

Last year, the company also announced the introduction of GitHub Enterprise to the bug bounty program, allowing researchers to find vulnerabilities in areas that may not be exposed on GitHub.com or which are specific to enterprise deployments.

“In the beginning of 2017, a number of reports impacting our enterprise authentication methods prompted us to not only focus on this internally, but also identify how we could engage researchers to focus on this functionality,” Ose notes.

He also says GitHub has launched its first researcher grant, an initiative the company has been long focused on. This effort involves paying “a fixed amount to a researcher to dig into a specific feature or area of the application.” Any discovered vulnerability would also be rewarded through the Bug Bounty program.

Last year, GitHub also rolled out private bug bounties, which allowed it to limit the impact of vulnerabilities in production. The company also rolled out internal improvements to the program, to more efficiently triage and remediate submissions and plans on refining the process in 2018 as well.

GitHub is looking to expand the initiatives that proved successful in 2017, launching more private bounties and research grants to gain focus on various features before and after they publicly launch. The company also plans additional promotions later this year.

“Given the program’s success, we’re also looking to see how we can expand its scope to help secure our production services and protect GitHub’s ecosystem. We’re excited for what’s next and look forward to triaging and fixing your submissions this year,” Ose concludes.

Related: GitHub Warns Developers When Using Vulnerable Libraries

Related: Hackers Earn Big Bounties for GitHub Enterprise Flaws

view counter
...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu GitHub Paid $166,000 in Bug Bounties in 2017






Ähnliche Beiträge

  • 1. Announcing TraceProcessor Preview 0.1.0 vom 584.09 Punkte ic_school_black_18dp
    Process ETW traces in .NET. Background Event Tracing for Windows (ETW) is a powerful trace collection system built-in to the Windows operating system. Windows has deep integration with ETW, including data on system behavior all the way down to the ker
  • 2. Crypton - Library Consisting Of Explanation And Implementation Of All The Existing Attacks On Various Encryption Systems, Digital Signatures, Hashing Algorithms vom 443.93 Punkte ic_school_black_18dp
    Crypton is an educational library to learn and practice Offensive and Defensive Cryptography. It is basically a collection of explanation and implementation of all the existing vulnerabilities and attacks on various Encryption Systems (Symmetric and Asymmetric), Digital Signatures, Message Authentication Codes and Authenticated E
  • 3. USN-3415-1: tcpdump vulnerabilities vom 391.93 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-1 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed
  • 4. USN-3415-2: tcpdump vulnerabilities vom 391.93 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-2 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in tcpdump Software description tcpdump
  • 5. GitHub Paid $166,000 in Bug Bounties in 2017 vom 337.67 Punkte ic_school_black_18dp
    Git repository hosting service GitHub paid a total of $166,495 in rewards in 2017 to security researchers reporting vulnerabilities as part of its four year old bug bounty program. Total payouts more than doubled compared to the $81,700 paid in 2016 and were nearly equal to the total bo
  • 6. Commando VM v1.3 - The First Full Windows-based Penetration Testing Virtual Machine Distribution vom 241.24 Punkte ic_school_black_18dp
    Welcome to CommandoVM - a fully customized, Windows-based security distribution for penetration testing and red teaming.Installation (Install Script)Requirements Windows 7 Service Pack 1 or Windows 10 60 GB Hard Drive 2 GB RAM Recommended Windows 10 80+ G
  • 7. VulnX v1.7 - An Intelligent Bot Auto Shell Injector That Detect Vulnerabilities In Multiple Types Of CMS vom 211.05 Punkte ic_school_black_18dp
    VulnX Wiki • How To Use • Compatibility • Library • Vulnx is An Intelligent Bot Auto Shell Injector that detects vulnerabilities in multiple types of Cms, fast cms detection, information gathering and vulnerability Scanning of the target
  • 8. Vcpkg: 2019.06 Update vom 210.02 Punkte ic_school_black_18dp
    Vcpkg: 2019.06 Update The 2019.06 update of vcpkg, a tool that helps you manage C and C++ libraries on Windows, Linux, and MacOS, is now available. This is the first time we’ve created a vcpkg release on our GitHub repository. This update is designed to bring you a summa
  • 9. OSCP Goldmine (not clickbait) vom 209.58 Punkte ic_school_black_18dp
    Introduction Welcome to the OSCP resource gold mine. Compilation of resources I used/read/bookmarked in 2017 during the OSCP course… Google-Fu anyone? This was originally created on my GitBook but I decided to port it on my blog. This my way of
  • 10. USN-3290-1: Linux kernel vulnerability vom 208.98 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3290-1 16th May, 2017 linux vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary The system could be made to crash under certain conditions. Software descripti
  • 11. Socks proxies by Buyproxies247 vom 207.9 Punkte ic_school_black_18dp
    S
  • 12. Censys Subdomain Finder - Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys vom 174.66 Punkte ic_school_black_18dp
    This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA. See it in action: $ python censys_subdomain_finder.py github.com[*]