I mean, it’s a total auth bypass in GitHub by simply sending a HEAD request, with a one line fix. The turnaround time shows that they have the ability to evaluate a serious report through HackerOne quickly, they have a dedicated engineer who could get in and make the one line fix, and they have the ability to deploy new code quickly. All good things!
I am mostly impressed that they paid out $25k in under a week. That’s a sign of not just a good engineering setup, but some good bureaucracy as well.
Perhaps it does merely reduce to "being competent". But the contrast with nearly every other vendor out there is stark.
Been managing GHE for years, and I have been consistently impressed with Github's code quality, competence, and even product management (nearly every time I think, "there should be a way to...", there already is).
From the outside, at least, they look like the model to emulate for this sort of application.
You're both right, competency is in fact really damn impressive.
(I have come to think, as a software engineer, that we've comuterized so much of social life such that our economy literally could not afford it if it wasn't mostly crap).
It doesn't say they paid out yet, just that they 'awarded' the bounty, which could just be GitHub telling HackerOne they intend to pay without actually having moved any money yet.
Exactly what I thought too. Just for once, a bug bounty program worked as intended. Bug was fixed in a timely fashion instead of being denied or ignored, bounty was awarded, disclosure was made, life gets better for everyone. Nice to see.
"Just for once, a bug bounty program worked as intended" I would just say, you don't generally hear about it when it works as intended (as it usually does).
Your sentiment, though, is why it's nice when it is publicized that the system is working as intended, like it did in this case.
I run a bounty program and I like to think my company does a good job, too. I received a report of a RCE in a desktop app and got a fix released in 72h. We have a bounty committee that reviews payouts and paid in one week.
* 2019-06-19 23:36:50 UTC Issue confirmed by GitHub security team
* 2019-06-20 02:44:29 UTC Issue patched on github.com, GitHub replies on HackerOne to double-check that the patch fully resolves the issue
* 2019-06-26 16:19:20 UTC GitHub Enterprise 2.17.3, 2.16.12, 2.15.17, and 2.14.24 released with the patch (see GitHub’s announcement).
* 2019-06-26 22:30:45 UTC GitHub awards $25000 bounty
So used to these disclosure articles where the timelines look very different, communication is lacking and there's pushback on the bounties etc.
Refreshing to see that sometimes the process works as everyone hopes it will.