In 2017, GitHub paid $166,000 in Bug Bounties

Recently, GitHub announced on its blog that in 2017 they paid a total of $166,495 in rewards to security researchers. The bug bounty program is a four-year program, and 2017 is exactly the fourth year of this project. Through this project, security researchers can report the system problems and security vulnerabilities they find on GitHub.

Compared to the $81,700 paid in 2016, the total expenditure last year more than doubled, which is almost equal to the total expenditure paid in the first three years of the program: $177,000. In the first two years of the plan, the company paid $95,300 in prize money.

In addition, in 2017, GitHub received a total of 840 vulnerability report submissions, but only 15% (about 121) of the final settlement of the problem and the reward. In 2016, GitHub received a total of 795 vulnerability report submissions. In the end, only 73 awards were received, of which only 48 valid reports appeared on the homepage of the vulnerability voucher program.

It can be seen that the number of valid reports increased significantly last year, which in turn led to an increase in total expenses. This led GitHub to reassess its payment structure in October last year. As a result, the county has doubled, with minimum and maximum expenses of $555 and $20,000, respectively.

With the continuous increase in the number of security researchers, program initiatives, and bonus payments involved in the project, 2017 is the year that has paid the most rewards. In addition, they also introduced GitHub Enterprise to the security vulnerabilities program, allowing researchers to find vulnerabilities in some of GitHub.com’s undisclosed or enterprise-specific deployments.

Similarly, GitHub plans to further expand its successes last year by introducing more private incentives and research grants.

Source: SecurityWeek