We’ve often had the opportunity to hear about bug hunting & bug bounty programs from the researcher perspective, or in the form of sales pitches from companies that help build programs, but less often do we hear from the folks who work on those programs as their main focus. In this talk we’ll explore the ins and outs of GitHub’s Bug Bounty program, along with advice for those working in BB/VDP programs, or submitting bounty reports.
GitHub’s Bug Bounty program is often noted as being a leader in bug bounty – an early adopter, consistently offering generous awards with clear scoping. In addition to having a dedicated team to work with researchers, we’ve helped host three live hacking events with HackerOne, and have paid out over $3,400,000 USD in bounties since the inception of our program in January 2014.
I’ll aim to cover:
– An overview of GitHub’s Bug Bounty program, including our payout strategies, key milestones, and lessons learned
– How GitHub handles report triage & severity assignment including our tooling/automation
– How GitHub’s bounty team interacts with researchers and aims to more deeply understand and analyze bug reports
– Operational considerations of working with a SaaS & on-premise product that has a shared code base
– Our report/vulnerability disclosure practices and why we do things the way we do
– Bug bounty triage as a job & career stepping stone
– Tips for researchers, bounty staff, and program owners
Attendees should walk away from this talk having a better understanding of GitHub’s lessons learned running a bug bounty program, the nuances and challenges that triagers/engineers face working with bounty reports, and also how to improve their ROI when working on or with bounty programs.