One year ago …

Inaugural tweet

… the GitHub Security Lab launched a specialized bounty program. Unlike your typical bug bounty programs, the hunter is not paid to find security vulnerabilities, but to help the community eradicate them at scale. By submitting a CodeQL query for a given vulnerability class, a bug bounty hunter enables the community of security researchers to find more bugs of this class, and also broadens the automated security checks run by GitHub code scanning that protect open source projects against future occurrences.

This program is at the heart of what we aim to do with the community: share security knowledge, amplify the work of our members, and empower developers. In addition to this program, we offer a public Slack instance where security researchers can hang out and discuss CodeQL and all things security. We also take any occasion we have to contribute to conferences and share our knowledge on security techniques such as static analysis with CodeQL or fuzzing, in talks and in workshops. Finally, because we believe that learning should be fun, we create Capture the Flag (CTF) challenges for the community.

Where are we at?

So far we have awarded a total of $100,000 in bounties, to about 20 different hunters, for 55 contributions. Let’s have a look at these great contributions to open source security!

This submission from Jonathan Leitschuh that detects uses of an insecure protocol to download/upload Java Maven artifacts is a very good example of what the community can do to eradicate a vulnerability at scale! Not only did Jonathan report these vulnerabilities to many projects, but he decided to go above and beyond and actually fix all the occurrences he could find by opening more than 1,500 pull requests to affected open source projects.

Grzegorz Goławski created a query to detect a severe LDAP injection, allowing an attacker to exfiltrate LDAP user information, including the admin user. His query was able to discover and fix the same pattern on several other open source projects. And these queries are now automatically running on your projects and securing them against these vulnerabilities with GitHub code scanning.

Slavomir recently created a visual tool to help other CodeQL writers to expand their queries. With this contribution, he transforms the traditional solitary bounty hunt, into a social activity, enabling more hunters to join the pack! Shout out to the rest of the pack cldrn, SpaceWhite, p-, Mithrilwoodrat, luchua-bc, intrigus-lgtm, theopolis, kyprizel, artem-smotrakov, monkey-junkie, JordyZomer, porcupineyhairs, catenacyber, dellalibera.

Our public slack workspace currently welcomes 750 members, a number which is steadily increasing. We have registered more than 2,000 attendees to our workshops and trainings.

What is next?

We have seen very impressive contributions that demonstrate our community members are truly motivated by the impact they have on the wider open source community. They have embraced the mission of helping secure open source at scale and empowering others. The vision of the GitHub Security Lab is to empower anyone willing to secure open source, security researchers and open source contributors alike.

We want to encourage more high-quality contributions, and this is why starting today, we are increasing the bounty rewards for the High and Critical levels of our programs! Our All For One bounty will now reward up to $6,000 for the highest-quality submissions, and our Bug Slayer bounty up to $5,000.

We are looking forward to your contributions and invite you to visit our bounty programs and join the pack!