Developer platform Github has increased its bug bounty for security researchers, doubling the maximum reward from $5000 to $10,000 in a bid to attract more interest.
The GitHub Security Bug Bounty has been going for a year now and resulted in the discovery of 73 previously unknown security vulnerabilities in the site.
Github security engineer, Ben Toews, gave a brief recap in a blog post:
“Of 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications. 33 unique researchers earned a cumulative $50,100 for the 57 medium to high risk vulnerabilities they reported.”
Top submitter is Aleksandr Dobkin (@adob), who has accrued a whopping 23,750 points.
He uncovered a variety of problems in the platform including a persistent DOM based cross-site scripting vulnerability, which relied on a previously unknown Chrome browser bug, allowing Github’s content security policy to be bypassed.
Researchers who find flaws in Github are encouraged to send them to the platform’s security team for review.
The business of vulnerability disclosure has become a contentious issue of late after a very public dispute between Google and Microsoft.
The latter frequently refers to “responsible disclosure” – that is informing the affected vendor privately and waiting for a fix to be issued before going public with the details.
However, there are no universally agreed norms on exactly how long a vendor should be allowed to take to fix a specific vulnerability.
Many, including Google’s Project Zero team, reckon that flaws should be fixed as soon as possible to avoid the chance of cyber-criminals discovering and exploiting the same holes.
When Google’s strict 90-day limit expired it released details of a Windows flaw earlier this month just two days before it was due to be fixed in Microsoft’s Patch Tuesday – prompting criticism from some quarters and an angry response from Redmond.
Google itself tripled the maximum bug bounty reward from $5000 to $15,000 last September, and earlier this week announced it had handed out over $80,000 to researchers to help fix holes in Chrome 40.