To reward and incentivize contributions from the open source community, GitHub
Security Lab is launching a bounty program. We pay bounties for new
vulnerabilities you find in open source software using CodeQL
The Bug Slayer (discover a new vulnerability)
Write a new CodeQL query that finds multiple vulnerabilities in open source
How to participate
- Write a CodeQL query that models a vulnerability you’re interested in.
- Run your query on popular open source software and find at least four vulnerabilities, preferably across multiple projects.
- Report the vulnerabilities to the projects' maintainers, help them fix them, and have them obtain CVEs for each one. Remember that for most open source projects, maintainers can now get a CVE directly from GitHub via Security Advisories . To be eligible for a bounty, you must first coordinate disclosure of the vulnerabilities with the maintainers of the projects.
- Open a pull request in the security-lab repo with a single CodeQL query. See the contribution guidelines for more details.
- Create an issue using the bug slayer template . The issue should link to your pull request and contain a detailed report of the vulnerabilities your query finds. Mention only the vulnerabilities that have been publicly disclosed and fixed. It should include a description of the vulnerabilities, their associated CVEs, and how the query allowed you to find them. Pull requests without an accompanying issue cannot be considered.
- An award of up to $2500 USD will be granted. We consider the impact and risk associated with the vulnerability and the quality of your query when determining the award amount.
All for one, one for all (add a new default query)
Write a CodeQL query that is merged into the CodeQL repository
. Such queries must identify a class of
vulnerabilities (often linked to a CWE) with a high precision (i.e., a low
false positive rate).
How to participate
- Write a CodeQL query that models a vulnerability class not currently covered by the current queries , or improve an existing query and extend its coverage to detect additional vulnerabilities. Use the contribution guidelines in the CodeQL repo.
- Before requesting a bounty, you should first coordinate disclosure of any vulnerabilities that you are aware of with the maintainers of the affected projects.
- Open a pull request in the official query repo with a single CodeQL query (For Go, please use the codeql-go repository ).
- Create an issue using the all for one template and a detailed report on the class of vulnerabilities your query is intended to find. In case you are improving an existing query, explain what false negatives from the current query your improvement is intended to address. Pull requests without an accompanying issue cannot be considered. The issue should also include details of any vulnerabilities that you found with the query. Don't create an issue until the coordinated disclosure process for those vulnerabilities is complete, because the issue will be publicly visible.
- Work with the CodeQL team to verify the quality of your query. We will assess if the query meets the standards to be included in the CodeQL repo, or whether improvements are required. Queries must meet at least the requirements for experimental queries , including at least one useful result on some revision of a real project. Higher bounties will be awarded for queries that also meet additional requirements for supported queries , including query help and tests. In case you are improving an existing query, your submission must meet at least the requirements met by the existing query (if the existing query is already a supported query, your submission must meet the requirements for supported queries).
- An award of up to $3000 USD will be granted. We consider the impact and risk associated with the vulnerability and the quality of your query and documentation when determining the award amount.
Out of Scope
To be eligible for a bounty, queries must be non-trivial, and meet a minimum
complexity requirement. More concretely, queries that simply look for one or
two AST elements, or that could be easily implemented with a linter or simple
grep, may not be considered interesting enough for a bounty.
A good way to ensure that your queries meet this requirement is to ensure it
uses some more advanced analysis, like data-flow or control-flow.
CodeQL queries on the python language are temporary out of scope.
How does GitHub determine the amount of a bounty award?
The GitHub Security Lab and CodeQL teams consider the following factors when
setting a bounty award:
- The complexity of the vulnerabilities
- The severity of the vulnerabilities
- The prevalence of the vulnerabilities: the number of impacted users and systems
- The performance and reliability of the query: its false positive rate
- The documentation of the query
- Whether you produce a blog post / write-up about the vulnerabilities and query to help share your experience
We welcome all query submissions and are happy to provide feedback on
Is the bounty award less for improving a query than for writing a new
Not as a rule, as several factors (see above) are considered. The quality of
the query (performance, reliability, documentation) will likely be scored less
than for a new query. But it may be the case that the new vulnerabilities
discovered by your improvement are more complex, and/or impact more users and
systems than the original ones, which will give you a better score on these
What if I do not want my submission published on the bounty website or do
not have a GitHub account?
You can contact us via a DM on Twitter @GHSecurityLab
. We will keep your name anonymous but
the details of the report and the query will be public, subject to our
responsible disclosure policy.