GitHub Paid Out Over $1 Million in Bug Bounties 新闻资讯

信息发布员 5月前 81

GitHub this week announced that it has paid out over $1 million in rewards to the security researchers participating in its bug bounty program on HackerOne.

The security bug bounty program was launched on the hacker-powered platform in 2016, but GitHub has been accepting vulnerability reports since February 2014.

Last year alone, the Microsoft-owned service paid almost $590,000 in total bounty rewards across its programs, and says it was able to maintain an average response time of 17 hours despite an increase in submissions of 40%.

In 2019, GitHub released several new features that were added to its bug bounty program, such as functionality to keep engineers informed of new pull requests that need attention, an improved vulnerability tracking feature in automated security updates, GitHub for mobile, GitHub Actions, and Semmle’s LGTM tool.

The code repository platform says that some of the submissions it received for vulnerabilities in these products proved highly valuable for the development cycle. GitHub awarded more than $20,000 in bounties for security bugs in the products in this expanded scope.

One of the most important vulnerability submissions received last year was an OAuth flow bypass using cross-site HEAD requests, which effectively allowed an attacker to bypass the platform’s controls and authorize OAuth applications without any user interaction.

The platform was able to release a patch for this severe vulnerability within three hours after receiving the initial submission, although the vulnerability was not being exploited in the wild. The reporting researcher received a $25,000 reward for discovering the bug.

Another important security issue GitHub patched last year was a remote code execution through command injection on GitHub.com. The flaw existed because the branch names were not correctly sanitized in the Mercurial import feature.

“What makes this bug particularly interesting is the root cause: it was ultimately caused by an outdated dependency. The bug existed in a dependency that handles code imports and was previously fixed upstream. However, we failed to keep up with the latest version and were ultimately vulnerable to this issue,” GitHub explains.

In August last year, the platform participated in the H1-702 event in Las Vegas, where top hackers from HackerOne’s platform were invited for three nights of live hacking. The event, GitHub says, was a success, and it paid over $155,000 to researchers in one night, with half of the rewards being handed out for high or critical severity issues.

The platform also conducted a private, invite-only program where some features were previewed before their official rollout, which allowed it to discover bugs before they could affect users. More than $37,000 was awarded in bounties via the private program.

For 2020, GitHub is committed to moving forward with the Security Lab bounty program, which aims to secure all open source software, and says it will be assigning CVEs to submissions that affect GitHub Enterprise Server.


少客联盟- 版权声明 1、本主题所有言论和图片纯属会员个人意见,与少客联盟立场无关。
2、本站所有主题由该帖子作者发表,该帖子作者信息发布员少客联盟享有帖子相关版权。
3、少客联盟管理员和版主有权不事先通知发贴者而删除本文。
4、其他单位或个人使用、转载或引用本文时必须同时征得该帖子作者信息发布员少客联盟的同意。
5、帖子作者须承担一切因本文发表而直接或间接导致的民事或刑事法律责任。
6、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责。
7、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意。
8、官方反馈邮箱:chinasuc@chinasuc.cn


上一篇:黑客组织于本月初袭击了WHO,界卫生组织遭遇黑客攻击
下一篇:GitHub的Bug赏金超过100万美元
人生的价值,并不是用时间,而是用深度去衡量的。
最新回复 (0)
    • 少客联盟
      2
        登录 注册 QQ登录(停用)
返回