GitHub says it has paid out US$95,300 over two years under its bug bounty program.
The payouts cover 102 medium to high-severity vulnerabilities reported by 58 researchers.
These gems were pruned from some 1,172 bug reports that warranted an inspection by GitHub security bods, the rest of which didn’t rate a pay-out.
The total inspected pool were filtered from among 7,050 bug submissions equating to a signal to noise to ratio of 1:6.
GitHub is the better for it however. Security engineer Ben Toews says the code cauldron has fixed bugs spanning the entire OWASP top 10 worst web application holes.
“By rewarding the talented and dedicated researchers in the security industry, we discover and fix security vulnerabilities before they can be exploited,” Toews says.
“In the first year of the bounty program, we saw reports mostly about our web services.
“In 2015, we received a number of reports for vulnerabilities in our desktop apps.”
Toews details some of the important bugs reported under Github’s bug bounty first launched in 2013.
Those include a browser bug that meant cookies were sent to to third party sites – one that was not Github’s fault but impacted the web service along with much of the internet.
Another reported by a cryptography wonk related to trivial factoring of SSH keys, while a code execution bug was crushed in GitHub’s Mac and Windows clients, and its large file storage.
“That’s a great start, but we hope to further increase participation in the program. So, fire up your favorite proxy and start poking at GitHub.com”. ®
Building secure multi-factor authentication