CODE REPOSITORY GitHub is celebrating five years of its bug bounty programme with an injection of cash into the rewards pot.
The platform, which was purchased last year by Microsoft in a controversial $7.5bn deal, has given $165,000 to researchers in 2018 alone, in return for spotting vulnerabilities in code hosted by the site.
Adding in grants for research and private bug bounty programmes which GitHub participate in, that total was over $250k.
Now, the scope of the internal bug bounties has been expanded to include GitHub Education, GitHub Learning Lab, GitHub Jobs and GitHub Desktop. It will also cover Enterprise Cloud and internally, it will cover githubapp.com and github.net.
Now the moolah - the highest possible payout for a critical bug is now listed as $20k-$30k+, an ambiguous but sizeable figure. High rated bugs will have $10k-$20k on their heads, 'medium' will get $4k-$10k and 'low' ratings will get between $617 and $2k.
GitHub says the ambiguous high figure reserves the right to give even higher rewards for what it describes as "truly cutting edge research".
Also new is a Legal Safe Harbour policy, designed to cover both Github and its users against possible legal risks, in the quest for bugs.
It states that even if you accidentally overstep your remit as a bug bounty hunter, GitHub will neither prosecute or allow others to prosecute, on the basis of good faith.
Report sharing will be anonymised, allowing GitHub to further protect its users from legal action from third parties. Furthermore, it will inform the user before passing any data, and seek written assurance from the requesting party that it will not be used to take legal action.
Finally, terms of service will be more ‘elastic' if they're being broken for the purposes of bug bounty hunting. It will turn a blind eye to practices like reverse engineering and offer a limited waiver, which also protects against action that could be taken for breaching the Digital Millenium Copyright Act (DMCA), if, of course, its been done for the greater good. μ
What can a hacker hack if a hacker hacks hackers...
But we doubt people will be lining up to buy it
'Prolific' duo netted more than $100m in spree
But its library is lacking here in Blighty