[{"id":3747985,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. \n\nHappy hacking!\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* We recommend adding your HackerOne `@wearehackerone.com` email address to any GitHub account that you use to perform security research and testing. If you use multiple GitHub accounts for testing, [you can use aliases of your HackerOne email address](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases). Clearly identifying accounts that are associated with bounty research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Bug Bounty program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our bounty rules and scope.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#rewards).\n* In addition to the bounty reward, some reports will also receive a coupon code that can be redeemed for swag items at [the GitHub Bug Bounty Merch Shop](https://bugbounty.printengine.com/). For more information about the store, [please visit the shop's FAQ page](https://bugbounty.printengine.com/faqs).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability, and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched, so we may ask that you delay publishing to keep other GitHub users safe.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-14T02:19:16.794Z"},{"id":3746984,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. \n\nHappy hacking!\n\n## Temporary Policy update for the Holidays\nAs we approach the holiday season, there may be delays in responding to and triaging reports from December 20th, 2024 to January 6th, 2025.  Your report is important to us, and we will respond and investigate as soon as we can. Thanks for your patience and for participating in GitHub's Bug Bounty program! \n\nWe’d like to remind our Bug Bounty participants:: \n- Please do not impact other users with your testing, which includes testing vulnerabilities in repositories or organizations you do not own. This activity is ineligible for rewards and not allowed in our program. \n- If you are attempting to find an authorization bypass, you must use accounts you own.\n\nWe may suspend your GitHub account and ban your IP address for:\n- Performing distributed denial of service (DDoS) or other volumetric attacks\n- Spamming content\n- Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n   - Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* We recommend adding your HackerOne `@wearehackerone.com` email address to any GitHub account that you use to perform security research and testing. If you use multiple GitHub accounts for testing, [you can use aliases of your HackerOne email address](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases). Clearly identifying accounts that are associated with bounty research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Bug Bounty program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our bounty rules and scope.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#rewards).\n* In addition to the bounty reward, some reports will also receive a coupon code that can be redeemed for swag items at [the GitHub Bug Bounty Merch Shop](https://bugbounty.printengine.com/). For more information about the store, [please visit the shop's FAQ page](https://bugbounty.printengine.com/faqs).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability, and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched, so we may ask that you delay publishing to keep other GitHub users safe.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-19T23:03:34.755Z"},{"id":3685083,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. \n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* We recommend adding your HackerOne `@wearehackerone.com` email address to any GitHub account that you use to perform security research and testing. If you use multiple GitHub accounts for testing, [you can use aliases of your HackerOne email address](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases). Clearly identifying accounts that are associated with bounty research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Bug Bounty program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our bounty rules and scope.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#rewards).\n* In addition to the bounty reward, some reports will also receive a coupon code that can be redeemed for swag items at [the GitHub Bug Bounty Merch Shop](https://bugbounty.printengine.com/). For more information about the store, [please visit the shop's FAQ page](https://bugbounty.printengine.com/faqs).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability, and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched, so we may ask that you delay publishing to keep other GitHub users safe.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-20T17:49:12.495Z"},{"id":3682146,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. \n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* We recommend adding your HackerOne `@wearehackerone.com` email address to any GitHub account that you use to perform security research and testing. If you use multiple GitHub accounts for testing, [you can use aliases of your HackerOne email address](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases). Clearly identifying accounts that are associated with bounty research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Bug Bounty program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our bounty rules and scope.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#rewards).\n* In addition to the bounty reward, some reports will also receive a coupon code that can be redeemed for swag items at [the GitHub Bug Bounty Merch Shop](https://bugbounty.printengine.com/). For more information about the store, [please visit the shop's FAQ page](https://bugbounty.printengine.com/faqs).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability, and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched, so we may ask that you delay publishing to keep other GitHub users safe.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-18T17:10:31.786Z"},{"id":3681480,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. \n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* We recommend adding your HackerOne `@wearehackerone.com` email address to any GitHub account that you use to perform security research and testing. If you use multiple GitHub accounts for testing, [you can use aliases of your HackerOne email address](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases). Clearly identifying accounts that are associated with bounty research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Bug Bounty program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our bounty rules and scope.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#rewards).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability, and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched, so we may ask that you delay publishing to keep other GitHub users safe.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T20:50:49.130Z"},{"id":3679820,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* We recommend adding your HackerOne `@wearehackerone.com` email address to any GitHub account that you use to perform security research and testing. If you use multiple GitHub accounts for testing, [you can use aliases of your HackerOne email address](https://docs.hackerone.com/hackers/hacker-email-alias.html#multiple-aliases). Clearly identifying accounts that are associated with bounty research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Bug Bounty program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our bounty rules and scope.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-10T21:07:33.495Z"},{"id":3676815,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-31T07:49:20.246Z"},{"id":3676662,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nThis is our main domain for Semmle and LGTM services. (Due to the [deprecation of LGTM.com](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/), this target will become out-of-scope for the GitHub bug bounty program on August 30th.). All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nThis is our domain for non-production Semmle services. (Due to the [deprecation of LGTM.com](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/), this target will become out-of-scope for the GitHub bug bounty program on August 30th.). All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nThis is our domain for serving LGTM downloads. (Due to the [deprecation of LGTM.com](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/), this target will become out-of-scope for the GitHub bug bounty program on August 30th.). All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research. (Due to the [deprecation of LGTM.com](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/), this target will become out-of-scope for the GitHub bug bounty program on August 30th.). All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks. (Due to the [deprecation of LGTM.com](https://github.blog/2022-08-15-the-next-step-for-lgtm-com-github-code-scanning/), this target will become out-of-scope for the GitHub bug bounty program on August 30th.). All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* escaping the LGTM worker sandbox to access other users' data or private networked resources\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-26T20:23:05.472Z"},{"id":3676244,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nThis is our main domain for Semmle and LGTM services.. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nThis is our domain for non-production Semmle services.. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nThis is our domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* escaping the LGTM worker sandbox to access other users' data or private networked resources\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-17T21:43:08.005Z"},{"id":3668608,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nThis is our main domain for Semmle and LGTM services.. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nThis is our domain for non-production Semmle services.. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nThis is our domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* escaping the LGTM worker sandbox to access other users' data or private networked resources\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible)\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-29T15:39:11.071Z"},{"id":3666203,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. If the bounty has already been processed into your account, it can no longer be donated through HackerOne and is no longer eligible for matching donations. To reduce the likelihood of a bounty being processed before it can be donated, we recommend [changing your payment preferences to monthly in your account settings](https://docs.hackerone.com/hackers/payout-methods.html). To donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nThis is our main domain for Semmle and LGTM services.. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nThis is our domain for non-production Semmle services.. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nThis is our domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* escaping the LGTM worker sandbox to access other users' data or private networked resources\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of a private package on npm that should be inaccessible\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-07T20:05:14.953Z"},{"id":3665741,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to coordinate disclosure through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. In order to donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nThis is our main domain for Semmle and LGTM services.. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nThis is our domain for non-production Semmle services.. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nThis is our domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites.. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs.. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* escaping the LGTM worker sandbox to access other users' data or private networked resources\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of a private package on npm that should be inaccessible\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-01T23:33:05.687Z"},{"id":3658192,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. In order to donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in scope, *not* eligible for rewards, and *not* covered by [our legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nThis is our main domain for hosting user-facing GitHub services. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nThis is our domain for hosting static assets. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nThis is our domain for hosting and rendering users' data. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nThis is our domain for hosting employee-facing services. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nThis is our domain for receiving webhooks for employee-facing services. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nThis is our domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nThis is our main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nThis is our domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nThis is our domain for serving LGTM downloads. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nThis is an instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n### npmjs.com\n\nThis is the domain for npm's public-facing websites. All subdomains under `npmjs.com` are in-scope\n\n### npmjs.org\n\nThis is the domain for npm's registry, public-facing databases, and APIs. All subdomains under `npmjs.org` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique, but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to a GitHub product itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a server in our production network\n* arbitrary SQL queries on a production database\n* bypassing the login process, either password or 2FA\n* access to sensitive production user data or access to internal production systems\n* accessing another user's data in the GitHub Actions service\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline, and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) that bypasses CSP\n* bypassing authorization logic to grant a repository or package collaborator more access than intended\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket\n* overwriting a customer repository or package that should be inaccessible\n* gaining access to a non-critical resource that only employees should be able to reach\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository\n* sending authentication credentials from a client app to an unintended server\n* code execution in a client app that requires no user interaction, such as arbitrary code execution upon repo clone, [package install with the `--ignore-scripts` flag](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts), or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories, which should be be inaccessible\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list\n* escaping the LGTM worker sandbox to access other users' data or private networked resources\n* code execution in a client app that requires minimal, expected user interaction, such as performing actions on a repository or [with a package](https://docs.npmjs.com/cli/v7/using-npm/config#ignore-scripts) that a user would not expect to lead to code execution\n* package integrity compromise, i.e., downloading a package that does not match the integrity as defined in `package-lock.json`\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information\n* triggering application exceptions that could affect many users\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com\n* disclosing the existence of a private package on npm that should be inaccessible\n* novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product\n* credentials such as those from the `.npmrc` file or from GitHub Enterprise Server being leaked in logs\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-10T23:08:12.115Z"},{"id":3657628,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* If you would prefer to donate your bounty reward to an established 501(c)(3) charitable organization, GitHub will match your donation. In order to donate your reward and have it matched, submit a support ticket to HackerOne with the following information: \n  * the report ID for which you want to donate the bounty;\n  * the name and website of the charity you want to donate to;\n  * that you would like the donation matched using GitHub's process; and \n  * whether you want to be named as the donor or would prefer to remain anonymous. Keep in mind that we can only attribute the donation to you if the charity allows us to give a name.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nOur domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires minimal, expected user interaction, such as performing actions on a repository that a user would not expect to lead to code execution.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-30T19:49:20.228Z"},{"id":3651673,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### githubwebhooks.net\n\nOur domain for receiving webhooks for employee-facing services.. All subdomains under `githubwebhooks.net` are in-scope\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires minimal, expected user interaction, such as performing actions on a repository that a user would not expect to lead to code execution.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-28T17:40:30.903Z"},{"id":3648709,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://docs.github.com/en/github/site-policy/github-terms-of-service) as well as the following:\n\n  * you are not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n  * We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region. For more information, please see https://www.hackerone.com/disclosure-guidelines.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We do not currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires minimal, expected user interaction, such as performing actions on a repository that a user would not expect to lead to code execution.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-12T22:53:46.958Z"},{"id":3647764,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * you're not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html). We strongly recommend/prefer this method for researching denial of service issues.\n  * If you choose to test on GitHub proper (i.e. `https://github.com`)\n    * Research **must** be performed in organizations or repositories you own\n    * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires minimal, expected user interaction, such as performing actions on a repository that a user would not expect to lead to code execution.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-15T00:01:03.253Z"},{"id":3646043,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * you're not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues may be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires no user interaction, such as arbitrary code execution upon repo clone or via a protocol handler\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n* code execution in a client app (GitHub Desktop, GitHub Mobile or GitHub CLI) that requires minimal, expected user interaction, such as performing actions on a repository that a user would not expect to lead to code execution.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-20T19:06:13.119Z"},{"id":3643721,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * you're not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-13T16:14:00.473Z"},{"id":3640938,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * you're not currently a GitHub employee or contractor, were not a GitHub employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-04T13:57:39.628Z"},{"id":3639794,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n* injecting JavaScript event handlers into links, etc, which are mitigated by CSP on GitHub.com\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-20T16:25:02.608Z"},{"id":3634579,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-03T18:42:51.903Z"},{"id":3633918,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the [list of domains](https://bounty.github.com#scope) that are in scope for the Bug Bounty program and the [list of targets](https://bounty.github.com#targets) for useful information for getting started.\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* bypassing billing \u0026 plan restrictions to gain access to paid features.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-25T15:27:03.197Z"},{"id":3633857,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* bypassing billing \u0026 plan restrictions to gain access to paid features.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-24T22:51:28.519Z"},{"id":3633439,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligible Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose to do so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* bypassing billing \u0026 plan restrictions to gain access to paid features.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-19T18:39:55.711Z"},{"id":3633438,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* GitHub is a CVE Numbering Authority (CNA) for GitHub Enterprise Server. Eligble Bug Bounty submissions that affect GitHub Enterprise Server may be assigned CVEs. These CVEs will be shared with submitters via HackerOne, included in [bounty write-ups](https://bounty.github.com/bounty-hunters.html) and listed in the GitHub Enterprise Server [release notes](https://enterprise.github.com/releases).\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* bypassing billing \u0026 plan restrictions to gain access to paid features.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-19T18:39:01.273Z"},{"id":3628532,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Spamming content\n  * Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.\n    * Note: We _do_ allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one `nmap` scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `atom-io.githubapp.com`\n* `atom-io-staging.githubapp.com`\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n### semmle.com\n\nOur main domain for Semmle and LGTM services. All subdomains under `semmle.com` are in-scope *except*:\n* `dev.semmle.com`\n* `git.semmle.com`\n* `jira.semmle.com`\n* `wiki.semmle.com`\n\n### semmle.net\n\nOur domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope\n\n### downloads.lgtm.com\n\nOur domain for serving LGTM downloads.. All subdomains under `downloads.lgtm.com` are in-scope\n\n### lgtm-com.pentesting.semmle.net\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html) especially for Bug Bounty research.. All subdomains under `lgtm-com.pentesting.semmle.net` are in-scope\n\n### backend-dot-lgtm-penetration-testing.appspot.com\n\nAn instance of [LGTM](https://bounty.github.com/targets/lgtm.html)'s backend used for triggering automated tasks.. All subdomains under `backend-dot-lgtm-penetration-testing.appspot.com` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n* accessing another user's data in the GitHub Actions service.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* using the GitHub Actions repo-scoped GitHub token to access high-risk private content outside of that repository.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n* escaping the LGTM worker sandbox to access other user's data or private networked resources\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* bypassing billing \u0026 plan restrictions to gain access to paid features.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n* triggering XSS or CSRF vulnerabilities in LGTM\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-16T19:31:16.621Z"},{"id":3612037,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Using scanners, scrapers or any other automated tools in your testing\n  * Spamming content\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* bypassing billing \u0026 plan restrictions to gain access to paid features.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-17T18:09:51.031Z"},{"id":3605798,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* The following are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for:\n\n  * Performing distributed denial of service (DDoS) or other volumetric attacks\n  * Using scanners, scrapers or any other automated tools in your testing\n  * Spamming content\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately* and do not attempt to access any other data. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose your submission until GitHub has evaluated the impact.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-22T18:53:59.518Z"},{"id":3603961,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n* Distributed denial of service (DDoS), spam or other volumetric attacks are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for performing such attacks.\n* Do not use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your GitHub account and ban your IP address.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately*. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose a bug before it has been fixed.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `blog.github.com`\n* `community.github.com`\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `shop.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubassets.com\n\nOur domain for hosting static assets.. All subdomains under `githubassets.com` are in-scope\n\n### githubusercontent.com\n\nOur domain for hosting and rendering users' data.. All subdomains under `githubusercontent.com` are in-scope\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-01T14:03:30.978Z"},{"id":3603320,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n* Distributed denial of service (DDoS), spam or other volumetric attacks are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for performing such attacks.\n* Do not use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your GitHub account and ban your IP address.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately*. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose a bug before it has been fixed.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal_safe_harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-21T22:29:00.928Z"},{"id":3603102,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n* Distributed denial of service (DDoS), spam or other volumetric attacks are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for performing such attacks.\n* Do not use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your GitHub account and ban your IP address.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately*. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose a bug before it has been fixed.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal-safe-harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-19T21:52:28.336Z"},{"id":3603101,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope) and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties, e.g. `shop.github.com`, and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immeadiately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n* Distributed denial of service (DDoS), spam or other volumetric attacks are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for performing such attacks.\n* Do not use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your GitHub account and ban your IP address.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately*. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerabiltily\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose a bug before it has been fixed.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal-safe-harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-19T21:43:59.887Z"},{"id":3603089,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope), [targets](https://bounty.github.com/#targets), and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immediately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n* Distributed denial of service (DDoS), spam or other volumetric attacks are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for performing such attacks.\n* Do not use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your GitHub account and ban your IP address.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately*. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose a bug before it has been fixed.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal-safe-harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-19T20:13:45.036Z"},{"id":3603064,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Our bounty program gives a tip of the hat to these researchers and provides rewards of  $30,000 or more for critical vulnerabilities.\n\n\nYou can find more information in our [rules](https://bounty.github.com/#rules), [scope](https://bounty.github.com/#scope) and [FAQ](https://bounty.github.com/#faqs) sections. You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Before you start\n\n* Check the list of bugs that have been [classified as ineligible](https://bounty.github.com/ineligible.html). Submissions which are ineligible will likely be closed as `Not Applicable`.\n* Check the [GitHub Changelog](https://github.blog/changelog/) for recently launched features.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at `bounty@github.com`.\n* By participating in GitHub's Bug Bounty program (the \"Program\"), you acknowledge that you have read and agree to GitHub's [Terms of Service](https://help.github.com/articles/github-terms-of-service) as well as the following:\n\n  * you're not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, Sudan, and Syria.\n\n  * your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.\n\n  * you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.\n\n  * GitHub reserves the right to terminate or discontinue the Program at its discretion.\n\n  * Only test for vulnerabilities on sites you know to be operated by GitHub and are [in-scope](https://bounty.github.com#scope). Some sites hosted on subdomains of `GitHub.com` are operated by third parties, e.g. `shop.github.com`, and should not be tested.\n\n\n### Legal safe harbor\n\nYour research is covered by the [GitHub Bug Bounty Program Legal Safe Harbor](https://help.github.com/articles/github-bug-bounty-program-legal-safe-harbor/) policy. In summary:\n* We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug bounty program's scope.\n* We want you to responsibly disclose through our bug bounty program, and don't want researchers put in fear of legal consequences because of their good faith attempts to comply with our bug bounty policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.\n* Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.\n* If your security research as part of the bug bounty program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption.\n\n\n### Performing your research\n\n* Do not impact other users with your testing, this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.\n* Researching denial-of-service attacks is allowed and eligible for rewards only if you follow these rules:\n  * Research **must** be performed in organizations or repositories you own\n  * Stop **immeadiately** if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, GitHub's security team will be able to determine the impact.\n  * There are no limits for researching denial of service vulnerabilities against your own instance of [GitHub Enterprise Server](https://bounty.github.com/targets/github-enterprise-server.html)\n* Distributed denial of service (DDoS), spam or other volumetric attacks are **never** allowed and are ineligible for reward. We may suspend your GitHub account and ban your IP address for performing such attacks.\n* Do not use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your GitHub account and ban your IP address.\n\n\n### Handling personally identifiable information (PII)\n\n* Personally identifying information (PII) includes:\n  * legal and/or full names\n  * names or usernames combined with other identifiers like phone numbers or email addresses\n  * health or financial information (including insurance information, social security numbers, etc.)\n  * information about political or religious affiliations\n  * information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes\n* Do not intentionally access others' PII. If you suspect a service provides access to PII, limit queries to your own personal information.\n* Report the vulnerability *immediately*. The GitHub Security team will assess the scope and impact of the PII exposure.\n* Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned\n* You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.\n* We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerabiltily\n\n\n### Reporting your vulnerability\n\n* Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.\n* When reporting vulnerabilities you must keep all information on HackerOne. Do not post information to video-sharing or pastebin sites. Videos and images can be uploaded directly via HackerOne.\n* For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.\n* Do not publicly disclose a bug before it has been fixed.\n\n\n### Receiving your award\n\n* All reward amounts are determined by our [severity guidelines](https://bounty.github.com/#severity-guidelines).\n* You are free to publish write-ups about your vulnerability and GitHub will not limit what you write. We may pay out your reward before the vulnerability is patched so we may ask that you delay publishing to keep other GitHub users safe.\n* Medium, high, and critical severity issues will be written up on the GitHub Bug Bounty site and included in our leaderboard. We don't currently post write-ups for low severity vulnerabilities.\n* You may prefer the reward go toward helping others. If you choose so, GitHub will donate your reward to an established 501(c)(3) charitable organization of your choice. GitHub will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of GitHub's choosing.\n\n\n## Scope\n\nGitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are *not* in-scope, *not* eligible for rewards and *not* covered by our [legal safe harbor](https://bounty.github.com#legal-safe-harbor).\n\n\n### github.com\n\nOur main domain hosting user-facing GitHub services.. All subdomains under `github.com` are in-scope *except*:\n* `email.enterprise.github.com`\n* `email.finance.github.com`\n* `email.staging.finance.github.com`\n* `email.support.github.com`\n* `email.verify.github.com`\n* `google7650dcf6146f04d8.github.com`\n* `k1._domainkey.github.com`\n* `k1._domainkey.mcmail.github.com`\n* `mcmail.github.com`\n* `resources.github.com`\n* `*.resources.github.com`\n* `sgmail.github.com`\n* `*.sgmail.github.com`\n* `smtp.github.com`\n* `*.smtp.github.com`\n* `support.github.com`\n\n### githubapp.com\n\nOur domain for hosting employee-facing services.. All subdomains under `githubapp.com` are in-scope *except*:\n* `email.enterprise-staging.githubapp.com`\n* `email.haystack.githubapp.com`\n* `reply.githubapp.com`\n\n### github.net\n\nOur domain for hosting GitHub's internal production services. Many of these services are not accessible from outside our internal network.. All subdomains under `github.net` are in-scope\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $20,000 - $30,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\nThe upper bound for critical vulnerabilities, $30,000, is only a guideline and GitHub may reward higher amounts for exceptional reports.\n\n\n### High: $10,000 - $20,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n* code execution in a desktop app that requires no user interaction.\n\n\n### Medium: $4,000 - $10,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $617 - $2,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* bypassing community-and-safety features such as locked conversations.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-19T17:23:23.267Z"},{"id":3593049,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by [Google](https://www.google.com/about/appsecurity/reward-program/), [Facebook](https://www.facebook.com/whitehat), [Mozilla](https://www.mozilla.org/en-US/security/bug-bounty/), and others have helped to create a strong bug-hunting community. Our bounty program gives a tip of the hat to these researchers and provides some cold hard cash for their efforts.\n\n\nYou can find more information in the [rules](https://bounty.github.com/#rules) and [FAQs](https://bounty.github.com/#faqs). You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy hacking!\n\n\n## Rules\n\n### Rules for you\n\n* Don't attempt to gain access to another user's account or data.\n* Don't perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are **not** allowed.\n* Don't publicly disclose a bug before it has been fixed.\n* Only test for vulnerabilities on sites you know to be operated by GitHub and listed under [Open bounties](https://bounty.github.com#open-bounties). Some sites hosted on subdomains of `GitHub.com` are operated by third parties, e.g. `shop.github.com`, and should not be tested.\n* Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your GitHub account and ban your IP address if you do so.\n* Don't use scanners, scrapers or any other automated tools in your testing. They're noisy and we may suspend your GitHub account and ban your IP address.\n* Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* When in doubt, contact us at bounty@github.com.\n\n\n### Rules for us\n\n* We will respond as quickly as possible to your submission.\n* We will keep you updated as we work to fix the bug you submitted.\n* We will not take legal action against you if you play by the rules.\n\n\n### What does not qualify?\n\n* Bugs that don't affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.\n* Bugs requiring exceedingly unlikely user interaction.\n* Submissions which don't include steps to reproduce the bug, or only include those steps in video form.\n* Bugs, such as timing attacks, that prove the existence of a private repository or user.\n* Insecure cookie settings for non-sensitive cookies.\n* Disclosure of public information and information that does not present significant risk.\n* Bugs that have already been submitted by another user, that we are already aware of, or that have been [classified as ineligible](https://bounty.github.com/ineligible.html).\n* Bugs in applications not listed under [Open bounties](https://bounty.github.com#open-bounties) are generally not eligible. Look at individual bounties for details on scope.\n* Bugs in content/services that are not owned/operated by GitHub. This includes our users' code, GitHub Pages sites, and third party services operating on subdomains of GitHub.com.\n* Vulnerabilities that GitHub determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.\n* Scripting or other automation and brute forcing of intended functionality.\n* For guidance, we have listed the [Vulnerability classifications](https://bounty.github.com/classifications.html) we use to organize submissions made to the Bounty program.\n* When in doubt, contact us at bounty@github.com.\n\n\n## Severity Guidelines\n\nAll bounty submissions are rated by GitHub using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:\n\n\n### Critical: $10,000 - $20,000\n\nCritical severity issues present a direct and immediate risk to a broad array of our users or to GitHub itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:\n* arbitrary code/command execution on a GitHub server in our production network.\n* arbitrary SQL queries on the GitHub production database.\n* bypassing the GitHub login process, either password or 2FA.\n* access to sensitive production user data or access to internal production systems.\n\n\n### High: $5,000 - $10,000\n\nHigh severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:\n* injecting attacker controlled content into GitHub.com (XSS) which bypasses CSP.\n* bypassing authorization logic to grant a repository collaborator more access than intended.\n* discovering sensitive user or GitHub data in a publicly exposed resource, such as an S3 bucket.\n* gaining access to a non-critical resource that only GitHub employees should be able to reach.\n\n\n### Medium: $1,000 - $5,000\n\nMedium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:\n* disclosing the title of issues in private repositories which should be be inaccessible.\n* injecting attacker controlled content into GitHub.com (XSS) but not bypassing CSP or executing sensitive actions with another user's session.\n* bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.\n\n\n### Low: $555 - $1,000\n\nLow severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:\n* signing up arbitrary users for access to an \"early access feature\" without their consent.\n* creating an issue comment that bypasses our image proxying filter by providing a malformed URL.\n* triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.\n* triggering application exceptions that could affect many GitHub users.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-30T14:32:37.355Z"},{"id":2484208,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by [Google](http://www.google.com/about/appsecurity/reward-program/), [Facebook](https://www.facebook.com/whitehat), [Mozilla](http://www.mozilla.org/security/bug-bounty.html), and others have helped to create a strong bug-hunting community. Our bounty program gives a tip of the hat to these researchers and provides some cold hard cash for their efforts.\n\nYou can find more information in the [rules](https://bounty.github.com/#rules) and [FAQs](https://bounty.github.com/#faqs). You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy bug hunting!\n\n## Rules\n\n### Rules for you\n\n*   Don’t attempt to gain access to another user’s account or data.\n*   Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are **not** allowed.\n*   Don’t publicly disclose a bug before it has been fixed.\n*   Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your GitHub account and ban your IP address if you do so.\n*   Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your GitHub account and ban your IP address.\n*   Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n*   When in doubt, email us: bounty@github.com.\n\n### Rules for us\n\n*   We will respond as quickly as possible to your submission.\n*   We will keep you updated as we work to fix the bug you submitted.\n*   We will not take legal action against you if you play by the rules.\n\n### What does not qualify?\n\n*   Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.\n*   Bugs requiring exceedingly unlikely user interaction.\n*   Bugs, such as timing attacks, that prove the existence of a private repository or user.\n*   Insecure cookie settings for non-sensitive cookies.\n*   Disclosure of public information and information that does not present significant risk.\n*   Bugs that have already been submitted by another user, that we are already aware of, or that have been [classified as ineligible](https://bounty.github.com/ineligible.html).\n*   Bugs in applications not listed under [Open bounties](https://bounty.github.com#open-bounties) are generally not eligible. Look at individual bounties for details on scope.\n*   Bugs in content/services that are not owned/operated by GitHub. This includes our users’ code, GitHub Pages sites, and third party services operating on subdomains of GitHub.com.\n*   Vulnerabilities that GitHub determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.\n*   Scripting or other automation and brute forcing of intended functionality.\n*   When in doubt, email us: bounty@github.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-12T19:17:52.090Z"},{"id":2484206,"new_policy":"# GitHub Security Bug Bounty\n\nSoftware security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by [Google](http://www.google.com/about/appsecurity/reward-program/), [Facebook](https://www.facebook.com/whitehat), [Mozilla](http://www.mozilla.org/security/bug-bounty.html), and others have helped to create a strong bug-hunting community. Our bounty program gives a tip of the hat to these researchers and provides some cold hard cash for their efforts.\n\nIf you’ve found a vulnerability, [submit it here](https://bounty.github.com/submit-a-vulnerability.html). You can find more information in the [rules](https://bounty.github.com/#rules) and [FAQs](https://bounty.github.com/#faqs). You can also check the current rankings on the [leaderboard](https://bounty.github.com/#leaderboard).\n\nHappy bug hunting!\n\n## Rules\n\n### Rules for you\n\n*   Don’t attempt to gain access to another user’s account or data.\n*   Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are **not** allowed.\n*   Don’t publicly disclose a bug before it has been fixed.\n*   Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your GitHub account and ban your IP address if you do so.\n*   Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your GitHub account and ban your IP address.\n*   Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n*   When in doubt, email us: bounty@github.com.\n\n### Rules for us\n\n*   We will respond as quickly as possible to your submission.\n*   We will keep you updated as we work to fix the bug you submitted.\n*   We will not take legal action against you if you play by the rules.\n\n### What does not qualify?\n\n*   Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.\n*   Bugs requiring exceedingly unlikely user interaction.\n*   Bugs, such as timing attacks, that prove the existence of a private repository or user.\n*   Insecure cookie settings for non-sensitive cookies.\n*   Disclosure of public information and information that does not present significant risk.\n*   Bugs that have already been submitted by another user, that we are already aware of, or that have been [classified as ineligible](https://bounty.github.com/ineligible.html).\n*   Bugs in applications not listed under [Open bounties](#open-bounties) are generally not eligible. Look at individual bounties for details on scope.\n*   Bugs in content/services that are not owned/operated by GitHub. This includes our users’ code, GitHub Pages sites, and third party services operating on subdomains of GitHub.com.\n*   Vulnerabilities that GitHub determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.\n*   Scripting or other automation and brute forcing of intended functionality.\n*   When in doubt, email us: bounty@github.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-12T19:17:51.968Z"}]