GitHub this week announced that it has paid out over $1 million in rewards to the security researchers participating in its bug bounty program on HackerOne.
The security bug bounty program was launched on the hacker-powered platform in 2016, but GitHub has been accepting vulnerability reports since February 2014.
Last year alone, the Microsoft-owned service paid almost $590,000 in total bounty rewards across its programs, and says it was able to maintain an average response time of 17 hours despite an increase in submissions of 40%.
In 2019, GitHub released several new features that were added to its bug bounty program, such as functionality to keep engineers informed of new pull requests that need attention, an improved vulnerability tracking feature in automated security updates, GitHub for mobile, GitHub Actions, and Semmle’s LGTM tool.
The code repository platform says that some of the submissions it received for vulnerabilities in these products proved highly valuable for the development cycle. GitHub awarded more than $20,000 in bounties for security bugs in the products in this expanded scope.
One of the most important vulnerability submissions received last year was an OAuth flow bypass using cross-site HEAD requests, which effectively allowed an attacker to bypass the platform’s controls and authorize OAuth applications without any user interaction.
The platform was able to release a patch for this severe vulnerability within three hours after receiving the initial submission, although the vulnerability was not being exploited in the wild. The reporting researcher received a $25,000 reward for discovering the bug.
Another important security issue GitHub patched last year was a remote code execution through command injection on GitHub.com. The flaw existed because the branch names were not correctly sani ..
Support the originator by clicking the read the rest link below.
