GitHub.com
Synopsis
GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $200 up to $10000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.
You can find the app at https://github.com.
Bounty scope
Resources and features within the
github.comdomain.TCP ports 80, 443, 22, 9418.
Git services are in scope.
Subdomains are not in scope, e.g. Gist, API, etc. Or anything hosted on the github.io domain.
Obviously, vulnerabilities in user hosted code do not qualify.
Recently collected GitHub.com bounties:
| 1 |  |
500 pts Rohit Dua Private Atom feed access token leak from Referer header |
| 2 |  |
500 pts Georges.L Existence of private repositories revealed by duplicate response header |
| 3 | |
1000 pts Rohit Dua Bypass organization paid plan billing validation |
| 4 |  |
1000 pts Kamil Hismatullin Wiki content disclosure via forks |
| 5 |  |
500 pts @h8rry Email replies disclose "mute the thread" token |