Behind the Scenes in GitHub Bug Bounty

Back to the list of Speakers and Sessions
Watch the stream

We've often had the opportunity to hear about bug hunting & bug bounty programs from the researcher perspective, or in the form of sales pitches from companies that help build them, but less often do we hear from the folks who work on those programs as their main focus.

In this talk we'll explore the ins and outs of GitHub's Bug Bounty program, along with advice for those working in or building BB/VDP programs, or submitting bounty reports. GitHub was an early adopter of bug bounties, with our program dating back to January 2014. Since then, the program has been recognized as a leading bug bounty program consistently offering generous awards with clear scoping. In addition to having a dedicated team to work with researchers, we’ve paid out over $3,500,000 USD in bounties to date.

I'll cover: - GitHub's Bug Bounty program, including payouts and key milestones - How GitHub handles report triage & severity assignment - How GitHub’s bounty team interacts with researchers and aims to more deeply understand and analyze reports - Operational considerations of working with both a SaaS & on-prem product - Report/vulnerability disclosure - Bug bounty triage as a job & career stepping stone - Tips for researchers and bounty staff

Attendees will walk away having a better understanding of how GitHub's Bug Bounty team and program has grown over the past 8 years, the nuances and challenges that triagers/engineers face working with bounty reports, and also how to improve their ROI when working on/with programs.


Logan MacLaren Senior Product Security Engineer, GitHub

Logan is a Senior Product Security Engineer at GitHub where he focuses on the success of their Bug Bounty program. When not hacking on GitHub itself, Logan can be found doing security research focused on open source projects, or learning and refining new skills with CTF challenges!