GitHub
The world's largest source code hosting platform with 100M+ developers, offering repositories, CI/CD, and collaboration tools.
https://github.comMax Reward
$30,000
Total Paid
$4,500,000
Resolved
567
Avg Response
2 days
In-Scope Assets
github.com
Web platform, repositories, and code review
GitHub API
REST and GraphQL APIs
GitHub Actions
CI/CD and workflow automation
GitHub Codespaces
Cloud development environments
Out of Scope
- ✕ GitHub Education
- ✕ GitHub Community forums
- ✕ Third-party Actions
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (3)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| GH-001 | Actions workflow injection via crafted PR title in public repos | High | Open | $10,000–$30,000 | 0 |
| GH-002 | Private repository name disclosure via API error messages | Medium | In Review | $1,000–$3,000 | 2 |
| GH-003 | CSRF on repository settings allowing branch protection bypass | High | Open | $5,000–$15,000 | 0 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.