Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Launches Bug Bounty Program, Offers Between $100 and $5,000

Posted by timothy on from the bounteous-maximus dept.

An anonymous reader writes "GitHub today launched the GitHub Bug Bounty program 'to better engage with security researchers.' In short, the company will pay between $100 and $5,000 for each security vulnerability discovered and responsibly disclosed by hackers. The program currently covers the GitHub API, GitHub Gist, and GitHub.com. GitHub says its other Web properties and applications are not part of the program, but it says vulnerabilities found 'may receive a cash reward at our discretion.'"

14 comments

  1. Profit by Anonymous Coward · · Score: 0

    1. Upload buggy vulnerable code.
    2. Submit bug report.
    3. ???
    4. Profit

    1. Re:Profit by Anonymous Coward · · Score: 1, Interesting

      In the GitHub system, not GitHub user code, numbnuts.

      But seriously, this whole gameification of work is getting pathetic. Everyone's a freelance mercenary fighting for scraps, and kids brought up on a battery of constant useless testing lap it up. No benefits and no job security.

    2. Re:Profit by Anonymous Coward · · Score: 0

      > this whole gameification of work is getting pathetic

      You mean crowdsourcing, not gameification. Whatever you're angry at, it has nothing to do with what GitHub is doing.

      > Everyone's a freelance mercenary fighting for scraps, and kids brought up on a battery of constant useless testing lap it up.

      You know how I know you're an amateur developer who's limped by for years on the back of other people's work?

    3. Re:Profit by Anonymous Coward · · Score: 0

      > this whole gameification of work is getting pathetic

      You mean crowdsourcing, not gameification. Whatever you're angry at, it has nothing to do with what GitHub is doing.

      > Everyone's a freelance mercenary fighting for scraps, and kids brought up on a battery of constant useless testing lap it up.

      You know how I know you're an amateur developer who's limped by for years on the back of other people's work?

      Oh please do tell...

    4. Re:Profit by Anonymous Coward · · Score: 0

      GP is correct: it is a degenerate case of Soviet gamification, or "socialist competition"(*), where you treat almost everyone like shit, but provide a reward to one or two lucky top dogs. Everyone else pushes themselves for no reward in the inevitably empty hope of reaching the top.

      It is necessary in primitive pioneer economies but is unsustainable - a market either moves to permanent, waged labour or falls apart, as it cannot compete with systems which nurture and build on the experience of their workforce. In the short term it's merely exploitative and makes use of the casual labour of precisely the "amateur" developers you denigrate.

      (*) The name's misleading, as Lenin's experiment was really in state capitalism, not socialism, where an employee cannot find a better employer.

    5. Re:Profit by Anonymous Coward · · Score: 0

      > Everyone else pushes themselves for no reward in the inevitably empty hope of reaching the top.

      Implying the "top" is the monetary reward is one of many bad assumptions you have to accept before coming to that erroneous conclusion.

    6. Re:Profit by Anonymous Coward · · Score: 0

      But seriously, this whole gameification of work is getting pathetic. Everyone's a freelance mercenary fighting for scraps, and kids brought up on a battery of constant useless testing lap it up. No benefits and no job security.

      You're right. We owe you a secure job, because.....

  2. a WHOLE 100$ by Anonymous Coward · · Score: 1

    Isn't the bounty range a little low?

    1. Re:a WHOLE 100$ by kthreadd · · Score: 1

      No. Not really. That's just the lower bound.

  3. GitHub is non-free by Anonymous Coward · · Score: 1

    GitHub does not make the source code to it's software available under a free software license and includes non-free JavaScript. The service will also recommend non-free programs which is unethical. You should therefore not use the service, nor should you assist in improving it.

    1. Re:GitHub is non-free by Ibiwan · · Score: 2

      Go home, RMS; you're drunk!

      --
      -- //no comment
    2. Re:GitHub is non-free by yakatz · · Score: 1

      GitHub is one of the best designed Project-Hosting-as-a-Service websites that exists. They pay for hosting an untold number of free open-source repositories by selling their services to teams and companies. You can even buy a GitHub appliance that you host in your own network to make sure your code never leaves.

      If you want to use one of the "free as in speech" Git platforms, by all means, just do. But if you want a GUI, bug tracker, wiki, web hosting, etc. that cost a significant amount of money to develop - yet whose use is given away for free, use GitHub.

  4. voluntary, permanent ignorance by raymorris · · Score: 2

    That is true only if you start from the premise that the vast majority of people are stupid. In this case, that the vast majority of programmers / testers are stupid.

    Employment 40 hours per week is already an option for any programmer or tester who would participate.
    They look at it and guesstimate "running Nessus overnight will take 10 minutes of my time. If there are promising hits following up on the most likely will take ... ".

    One of three things must be true before a programmer participates:

    A) These programmers (math types) see that it's worth taking a quick look, that it's a good value for their time.

    B) They ENJOY finding errors, like solving a puzzle. It's a HOBBY.

    C) 98% of programmers are morons who don't know it's a waste of their time. YOU, however, have it all figured out. You're so much smarter than all of those programmers all over the world.

    I happen to know that B is true. I greatly enjoyed figuring out a bug I could use to take down Wikipedia.

    Your absolute arrogance, your total belief that you and only you have any wisdom or intelligence, blinds you to all of the actual wisdom in the world. When you think you're smarter than everyone else, you learn nothing. You remain in everlasting ignorance; self-inflicted, permanent ignorance.

    1. Re:voluntary, permanent ignorance by Anonymous Coward · · Score: 0

      That is true only if you start from the premise that the vast majority of people are stupid. In this case, that the vast majority of programmers / testers are stupid.

      Chain of logic, please? Are you actually arguing that only stupid people can be tricked into acting against their own interests by the lure of unlikely reward? In which case either your understanding of both psychology and history are embarrassingly naive.

      Employment 40 hours per week is already an option for any programmer or tester who would participate.

      Maybe - maybe not. Sentences like this require evidence. You can't just randomly assert stuff because it might back up your argument if true.

      They look at it and guesstimate "running Nessus overnight will take 10 minutes of my time. If there are promising hits following up on the most likely will take ... ".

      ...as long as it takes for the other ten thousand people doing the same thing.

      A) These programmers (math types) see that it's worth taking a quick look, that it's a good value for their time.

      I am a maths PhD holder, which hopefully makes me a "math type". I previously spent a decade in software development. I know that it's not a good use of my time: the presence of a bounty is in fact severe disincentive, as I'm competing against way more people who are seduced by financial reward. Security bug-finding beyond the initial audit is a mixture of skill and luck - you happen to notice the right thing at the right time - and lots of casual players = banking on luck through numbers, to make up for lack of skill through dedication.

      I happen to know that B is true. I greatly enjoyed figuring out a bug I could use to take down Wikipedia.

      You don't "happen to know that B is true" in general - just in your case, perhaps. I've enjoyed finding bugs that could compromise web sites of various sized organisations, but in no case did the organisation offer a bounty. I remember the time during my slightly more reckless youth (by which I mean 20s - I'm old now) that I casually called up a company and told them that I wanted to show them a method to retrieve tens of thousands of private records via their web site - once I'd got through to their IT department, I instructed step by step. An "ah (beat) oh" gave me a moment of utter elation, and then I got a "thank you"... but heard anything from them again. Yet, within a day, it was fixed.

      THAT was a good use of my time, because I found a minor issue by accident, which I then decided to explore much further; because I had just sold off my business and had time to kill; and because the organisation wasn't trying to farm out the job of finding security flaws to the general public.

      Your absolute arrogance, your total belief that you and only you have any wisdom or intelligence, blinds you to all of the actual wisdom in the world.

      My "total belief that [I] and only [I] have any wisdom or intelligence" - what the hell? Do you get this hyperbolic rhetoric from video games? I e-diagnose serious insecurity manifested as aggression.

      FWIW, I have had the privilege of researching with people far brighter than I'll ever be.. One even won a fairly large mathematical "bounty" - but that was the culmination of thousands of hours of work, and the presence of the bounty had no effect on the number of skilled people working on the problem, IOW it did not substitute dabblers for professional, dedicated researchers for the short-term personal benefit of the offeror.

      I don't think I'm the brightest person in the world - I just don't think I'm the only person in the world who can be huckstered.