Dear CodeQL bounty hunters,

Almost two years ago, we launched the CodeQL Bug Bounty program with the goal of rewarding security researchers who contribute to fixing open source projects at scale. To achieve this goal, we launched two different programs: in All For One, researchers protect against future vulnerabilities and eradicate whole vulnerability classes by coding patterns into CodeQL queries, and in Bug Slayer, they collaborate with maintainers to disclose and fix existing occurrences of these patterns.

Now that we’ve been running both programs for a couple of years and have heard your feedback, we’re revisiting the Bug Slayer program to make the scope clearer and the rewards more attractive, and to help clarify its connection to the All For One program.

TL;DR

The new version of Bug Slayer provides additional rewards on top of an All For One submission when you go the extra mile and use your CodeQL query to disclose and fix vulnerabilities in open source projects.

Read more at https://securitylab.github.com/bounties

We hope to review your submissions soon! Let’s secure open source, together!