GitHub released the 2020 highlights for its GitHub Security Bug Bounty Program, which was launched in 2014. According to the announcement, between February 2020 to February 2021, GitHub awarded $524,250 in bounties for 203 vulnerabilities in its products and services. The company also stated that 2020 was its busiest year and they handled a higher volume of submission than any other year.
2020 highlights of Bug Bounty Program
GitHub shared the highlights for the last year in a blog post they published. GitHub also shared one of the most interesting submissions they have received during that period. Here are some of the highlights of GitHub Security Bug Bounty Program:
- $524,250 in bounties awarded for 203 vulnerabilities in the company’s products and services. This brings the overall rewards from the program since moving to HackerOne in 2016 to $1,552,004.
- 1,066 submissions across its public and private programs.
- Its response times improved by 4 hours from 2019, to an average of 13 hours to the first response.
- Submissions were validated and triaged internally to partner teams within 24 hours on average.
- Bounties were paid out on average 24 days after the submission of an eligible report.
- The program was ranked as one of the top programs on HackerOne.
The platform also created a new internal team dedicated to the execution and growth of the bug bounty program in June of 2021. The team aims to accelerate and refine the triage and response process as well as expand into new initiatives. GitHub is also expanding the Product Security Engineering team and the broader GitHub security organization.