Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
GitHub logo
Hall of Fame


617 $ 

In Scope

Scope Type Scope Name
hardware Bypassing instance-wide authentication, also known as
hardware private mode
hardware External authentication backends including
hardware CAS, LDAP, and SAML
hardware In-app administration of the instance using a site administrator control panel
hardware User, organization, and repository migration
hardware Web-based management console
hardware and
hardware SSH access
hardware to configure and update the instance
hardware Pre-receive hook scripts
hardware GitHub Connect
hardware allows users to share specific features and workflows between your GitHub Enterprise Server instance and a organization on GitHub Enterprise Cloud.
hardware See
hardware our documentation
hardware for a list of services typically open on an instance.
other Credentials allowing access to cloud services, package managers and other resources used by GitHub, Inc employees
other Credentials accidentally made public in repositories which allow access to GitHub, Inc resources. This does
other not
other include credentials exposed by our users and credentials which do not allow access to GitHub, Inc resources.
other Credentials exposed by third-party services which allow access to GitHub, Inc resources
other Executing arbitrary code during the build process, either via a custom Jekyll theme or vulnerabilities in the command-line Git tools when cloning or checking-out repositories
other Reading arbitrary files during the build process which discloses sensitive information, for example by misusing path traversal or symbolic links in a custom Jekyll theme
other __
other bounty __
undefined Remote code execution via protocol handlers such as
undefined x-github-client://
undefined Code execution without user interaction when cloning or fetching malicious repositories
web_application *
web_application *

Out of Scope

Scope Type Scope Name
undefined __
web_application *
web_application reported __
web_application GitHub Classroom Assistant application __


GitHub Security Bug Bounty

Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.

You can find more information in our rules __, scope __, targets __, and FAQ __sections. You can also check the current rankings on the leaderboard __.

Happy hacking!


Before you start

  • Check the list of bugs that have been classified as ineligible __. Submissions which are ineligible will likely be closed asNot Applicable.
  • Check the GitHub Changelog __for recently launched features.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • When in doubt, contact us at
  • By participating in GitHub's Bug Bounty program (the "Program"), you acknowledge that you have read and agree to GitHub's Terms of Service __as well as the following:

    • you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.
    • your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
    • you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
    • GitHub reserves the right to terminate or discontinue the Program at its discretion.
    • Only test for vulnerabilities on sites you know to be operated by GitHub and are in-scope __. Some sites hosted on subdomains are operated by third parties and should not be tested.

Legal safe harbor

Your research is covered by the GitHub Bug Bounty Program Legal Safe Harbor __policy. In summary:

  • We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.
  • We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.
  • Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.
  • If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.

Performing your research

  • Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.
  • The following are never allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:

    • Performing distributed denial of service (DDoS) or other volumetric attacks
    • Using scanners, scrapers or any other automated tools in your testing
    • Spamming content
    • Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:

    • Research must be performed in organizations or repositories you own

    • Stop immediately if you believe you have affected the availability of our services. Don 't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.
    • There are no limits for researching denial of service vulnerabilities against your own instance of GitHub Enterprise Server __

Handling personally identifiable information (PII)

  • Personally identifying information (PII) includes:
    • legal and/or full names
    • names or usernames combined with other identifiers like phone numbers or email addresses
    • health or financial information (including insurance information, social security numbers, etc.)
    • information about political or religious affiliations
    • information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes
  • Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.
  • Report the vulnerability immediately and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.
  • Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned
  • You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.
  • We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability

Reporting your vulnerability

  • Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.
  • When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.
  • For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
  • Do not publicly disclose your submission until GitHub has evaluated the impact.

Receiving your award

  • All reward amounts are determined by our severity guidelines __.
  • You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.
  • Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.
  • You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.


GitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are not in-scope, not eligible for rewards and not covered by our legal safe harbor __.

Our main domain hosting user-facing GitHub services.. All subdomains under are in-scope except :

  • *
  • *
  • *

Our domain for hosting static assets.. All subdomains under are in-scope

Our domain for hosting and rendering users' data.. All subdomains under are in-scope

Our domain for hosting employee-facing services.. All subdomains under are in-scope except :


Our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under are in-scope

Severity Guidelines

All bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:

Critical: $20,000 - $30,000

Critical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low- level/foundational components in one of our application stacks or infrastructure. For example:

  • arbitrary code/command execution on a GitHub server in our production network.
  • arbitrary SQL queries on the GitHub production database.
  • bypassing the GitHub login process, either password or 2FA.
  • access to sensitive production user data or access to internal production systems.

The upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.

High: $10,000 - $20,000

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

  • injecting attacker controlled content into (XSS) which bypasses CSP.
  • bypassing authorization logic to grant a repository collaborator more access than intended.
  • discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.
  • gaining access to a non-critical resource that only GitHub employees should be able to reach.
  • code execution in a desktop app that requires no user interaction.

Medium: $4,000 - $10,000

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

  • disclosing the title of issues in private repositories which should be be inaccessible.
  • injecting attacker controlled content into (XSS) but not bypassing CSP or executing sensitive actions with another user's session.
  • bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.

Low: $617 - $2,000

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

  • signing up arbitrary users for access to an "early access feature" without their consent.
  • creating an issue comment that bypasses our image proxying filter by providing a malformed URL.
  • bypassing community-and-safety features such as locked conversations.
  • bypassing billing & plan restrictions to gain access to paid features.
  • triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.
  • triggering application exceptions that could affect many GitHub users.

FireBounty © 2015-2019

Legal notices