GitHub revealed that its Security Bug Bounty Program registered the most submissions in 2020 since its launch in 2014, and 204 vulnerabilities qualified for bounties.
Companies figured out a while ago that it’s better to find the vulnerabilities in their own software than to leave it to hackers or to hope that it’ll work out fine. All software and hardware has vulnerabilities. Sometimes, the good guys find them, but the entire industry can suffer when that’s not the case. In these programs, such as the one GitHub runs, security researchers are encouraged to find and report vulnerabilities in exchange for a bounty.
“2020 was our busiest year yet,” said GitHub. “From February 2020 to February 2021, we handled a higher volume of submissions than any previous year.[…] $524,250 in bounties awarded for 203 vulnerabilities in our products and services. This brings the overall rewards from our program since moving to HackerOne in 2016 to $1,552,004,” GitHub explained.
The company also provided a very interesting example of a bug submission that affected its own platform, GitHub.com, and which could have been used to compromise the OAuth flow of Gist users.
“While the risk is fairly low, this vulnerability could be used to facilitate social engineering attacks by providing a link to GitHub.com that would end up redirecting to an attacker-directed site,” said GitHub.
It’s no surprise that 2020 was such a busy year for submission of vulnerabilities, as many people suddenly switched to working from home. Security researchers paid more attention to some of the more popular apps, and the entire bounty industry is becoming a lot more profitable.