Source code sharing website Github will up its bug bounty program’s maximum payout from $5,000 to $10,000 during its second year.
The company made the announcement in a Wednesday blog post reviewing its program’s inaugural year. Researchers submitted 1,920 vulnerabilities in 2014, 869 of which required further review. Additionally, 73 previously unknown security vulnerabilities were identified and fixed.
More than 30 researchers received a cumulative $50,100 for the 57 medium to high risk vulnerabilities they reported, the blog entry stated.
The top submitter discovered a DOM based cross-site scripting vulnerability that relied on a previously unknown Chrome browser bug and allowed GitHub’s Content Security Policy to be bypassed, the blog revealed.
The second top submitter found a complex vulnerability in the communication between two of Github’s backend services, which could have let an attacker set arbitrary environment variables.