In the two years since GitHub’s Security Bug Bounty program was launched, it has paid out almost $100,000.
In all, 58 unique researchers submitted more than 7,000 reports, of which more than 1,700 warranted further review. They earned a cumulative $95,300 for medium to high-risk vulnerabilities.
Notable finds included a bug that resulted in some RSA key generators creating SSH keys that were trivially factorable. GitHub ended up finding and revoking 309 weak RSA keys, and it now has validations that check if keys are factorable by the first 10,000 primes.
The program also uncovered an exploit against GitHub for Mac, allowing remote code execution.
“In the first year of the bounty program, we saw reports mostly about our web services,” the company noted in a blog post. “In 2015, we received a number of reports for vulnerabilities in our desktop apps. @tunz reported a clever exploit against GitHub for Mac, allowing remote code execution. Shortly thereafter, @joernchen reported a similar bug in GitHub for Windows, following up a few months later with a separate client-side remote code execution vulnerability in Git Large File Storage (LFS).”
There were also third-party issues that affected GitHub. @kelunik and @bwoebi reported a browser vulnerability that caused GitHub's cookies to be sent to other domains; and, @ealf reported a browser bug, bypassing GitHub’s JavaScript same-origin policy checks.
“We love it when a reported vulnerability ends up not being our fault,” GitHub said. “We were able to protect our users from these vulnerabilities months before the browser vendors released patches.”
GitHub, also linking charitable efforts to bug-hunting, matches bounties donated to 501(c)(3) organizations.
“In 2015 we saw an amazing increase in the number of bounties donated to a good cause,” it said. “With the help of our researchers, we contributed to the EFF, Médecins Sans Frontières, the Ada Initiative, the Washington State Burn Foundation, and the Tor Project. A big thanks to @ealf, @LukasReschke, @arirubinstein, @cryptosense, @bureado, @vito, and @s-rah for their generosity.”
Photo © Sven Hoppe