In 2016, GitHub paid a total of US$817,000, and last year’s total spending has apparently more than doubled, which is almost equivalent to the total expenditure of the previous three years (US$177,000). In the two years of 2014 and 2015, they collectively Paid $953,000 in bonuses.
In 2017, GitHub received a total of 840 vulnerability report submissions, but only 15% (about 121) of the final settlement of the problem and the bonuses.
In 2016, GitHub received a total of 795 vulnerability report submissions. In the end, only 73 awards were received. Of these, only 48 valid reports were eventually listed on the homepage of the Voucher Program.
The increase in the number of effective reports contributed to the increase in total expenses, which also led to GitHub’s reassessment of its payment structure in October last year. As a result, bonuses have doubled, with the minimum bonus of $555 and the maximum bonus of up to $20,000.
Greg Ose of GitHub pointed out that with the participation of projects, the scale of plans and researchers has continued to increase. Last year was the year that paid the most rewards.
Not only that, they also introduced GitHub Enterprise into a vulnerabilities bounty program that allows researchers to find holes in some undisclosed or specific enterprise deployments on the GitHub.com platform.
Ose said: "At the beginning of last year, a lot of vulnerability reports related to our corporate certification methods, which also prompted us to have to pay attention to this issue internally, and we are also studying how to make researchers also pay attention to this function.
In addition, Ose stated that GitHub has released its first research donation and is also an initiative they have long focused on. This work will pay a fixed amount for researchers who are exploring application-specific functions or areas. Of course, any other findings Vulnerable people can also be rewarded for vulnerabilities.
Last year, GitHub also launched a private vulnerability patch service that allows users to limit the scope of the production loopholes. Not only that, they also made internal improvements to more effectively classify and fix bug submissions, and plans to further improve the process this year.
Now, GitHub hopes to further expand its achievements in 2017 and launch more private rewards and research grants to get everyone's attention before and after the code is publicly released. The company also plans to launch additional reward plans later this year. .
Ose concludes: “Given the success of the vulnerability bounty program, we are now considering how to expand its scope to provide more help for our production services while protecting the entire GitHub ecosystem. We are looking forward to the next step and will be This year's classification and revision of the content of the submitted vulnerability. '