
GitHub Security Bug Bounty - mastahyeti
https://github.com/blog/1770-github-security-bug-bounty
======
ig1
The one obvious flaw is the "email us for our PGP key" \- distributing the
public key in private and over an insecure channel makes it vulnerable to
replacement.

Has anyone written a "best practices" guide for designing a security page ?

~~~
tlrobinson
Why don't they just publish the key on the site?

~~~
danielsiders
Probably because security@ emails are routed through their normal helpdesk
system which doesn't handle PGP properly.

~~~
akerl_
I doubt that their security emails do that, but even if they do, changing how
you get the key wouldn't fix a PGP compatibility issue, since once you have
the key you'd still be emailing them using it.

------
sneak
Hey githubbers, could you please stop repeating the tired "responsible
disclosure" meme?

Full disclosure is not irresponsible and attempts to frame it as such are
bordering on malicious toward the exact community in which you are attempting
to engender goodwill.

~~~
droopybuns
I disagree that "responsible disclosure" is tired, nor a meme.

Software development is hard. Most projects are developed by teams- not single
contributors. Consequently, part of reporting bugs is enduring the back and
forth of communications with teams. Reporting bugs is not an all-or-nothing
game.

~~~
grkvlt
It certainly isn't tired, and "responsible disclosure" policies are absolutely
preferred over any sort of free-for-all distribution and posting of PoC code
to the world before the vendor. I think most professional security researchers
have always subscribed to the general idea of responsible disclosure of
vulnerabilities, even before things like RFPolicy [0] brought the concept to a
wider audience.

However by any reasonable definition [1] it _is_ a meme, being a "unit for
carrying cultural [...] practices that can be transmitted [...] through
writing [or] speech." Remember that memes existed as a concept long before
LOLcats and formulaic GIF images with amusing text macros on the Internets...

    
    
        [0] http://www.wiretrip.net/p/libwhisker.html
        [1] https://en.wikipedia.org/wiki/Meme

~~~
sneak
My problem is not with companies preferring advance notice, or with people who
abide by what is called "responsible disclosure". Indeed, it is often the
Right Thing To Do.

The problem is that use of the phrase "responsible disclosure" FRAMES anything
that does not conform to that narrow definition as "irresponsible disclosure",
when in reality it simply is not. (It is not irresponsible to pull a @homakov,
for instance.)

It's "framing": a way that use of language shapes our thinking about the world
and events therein, sometimes and usually without our explicit conscious
consent to such bias.

Please stop using the term. "Advance developer/vendor notification" is a
suitable replacement if you wish.

~~~
droopybuns
If we were playing table tennis, I would comment on the tremendous amount of
english you put on that ball.

On the one hand, I concede your point. I think your phrasing is certainly more
accurate. However it isn't quite as expressive to the layman.

On the other hand, there are so few people out there who truly can grasp the
nuances that you're focusing on, I am wary of propogating your valid point.

I still think "responsible disclosure" is a better (albeit damaged)
descriptor.

------
flyinglizard
Isn't $5000 ridiculously low compared to the black market value of a GitHub
exploit, or the time required to develop it?

Assuming a company thinks it's pretty secure, putting real money on the line
(the same money you'd normally pay an expert to pentest your system) would get
some more prolific minds involved.

~~~
tptacek
No, it is probably not. People have weird ideas about how much random web bugs
are worth. Big ticket bugs are easily monetizable, and/or attack a huge
install base with a very slow patch cycle. People hear about 5-6 figure bugs,
but those are typically reliable browser clientside RCEs.

~~~
homakov
Github also has slow patch cycle. Enterprise edition

------
bugcrowd
Great to see Github recognizing processes for security researchers between the
ages of 13-18 in the FAQ. In the new age of crowdsourced skills, it's good to
see age not playing a part as a barrier.

------
homakov
Now there is nothing to hax.

~~~
sneak
You should ask them to apply it retroactively.

~~~
homakov
I dont need anything. I was saying now you need some good 0days because it is
hard to find silly xss on github these days

------
nilsjuenemann
Great news. I'm happy to see this program in "public mode" now. GitHub
launched this program already as private beta in May 2013.

[https://twitter.com/totally_unknown/status/42899282447475916...](https://twitter.com/totally_unknown/status/428992824474759168)

Don't expect to earn easy cash here. :)

~~~
georgemcbay
I wonder if the reward values have changed since the beta? I'm sure it is much
harder to find anything now than it would have been back then, assuming they
got a good turnout from really experienced people and 7-8 months of headstart.

~~~
nilsjuenemann
That's from the private beta:

"We are using a simple severity ranking scheme: Low - Medium - High -
Critical. Rewards range from $100 up to $5000 and are determined at our
discretion based on a number of factors. For example, if you find a reflected
XSS that is only possible in Opera, and Opera is only 1.64% of our traffic,
then the severity and reward will be lower. But a persistent XSS that works in
Chrome, at 59.53% of our traffic, will earn a much larger reward."

------
pearjuice
You just have to wait for homakov to put himself at the top of the
leaderboard.

------
TomAnthony
This looks great.

I especially like that they have 'rules for us' and also they have a section
at the bottom which discusses discretionary bounties for their properties not
covered in the main list.

------
nodesocket
We recently launched our bug bounty program for Commando.io as well
[https://commando.io/security.html](https://commando.io/security.html).

------
dimillian
So the Firefox UI is much like the Chrome UI minus border radius.

~~~
mattkirman
If you're referring to the browser screenshot I think it's Opera (which is now
based on Chromium) rather than Firefox. That will at least explain some of the
similarities.

