Hackers and software security researchers can start earning cold hard cash through GitHub’s Bug Bounty program. The company will dish out US$100 to $5,000 to those who hunt down bugs and report vulnerabilities through their responsible disclosure process.
The bounty program is a way for GitHub to maintain its users’ trust and improve the security of its services.
The amount a person gets when disclosing vulnerabilities is determined at GitHub’s discretion based on actual risk and potential impact to users. For example, if someone finds a reflected cross-site scripting (XSS) vulnerability that is only possible in Opera, which represents less than 2% of GitHub’s traffic, then the reward would be on the low end. Finding a persistent XSS that works in Chrome, which represents more than 60% of traffic, will earn someone a big reward.
Currently, the bounty program is open for a subset of GitHub’s products and services, but the list is expected to expand once the program gets going.
Payments will be made through PayPal. Before any payment is made, researchers have to fill out a W-9 or W-8BEN form. If documentation is not submitted, then the researcher won’t be paid.
In addition to payments, researchers will also be assigned a point value for each vulnerability. Those with the most points will be listed on the leaderboard.
Researchers between the ages of 13 and 18 are eligible to participate. Those in the United States must have a parent or guardian’s consent in order to qualify.
Vulnerabilities can be submitted here.