Strengthening GitHub's Bug Bounty: Quality, Collaboration, and the Path Forward
GitHub's bug bounty program has long relied on the global security research community to help protect over 180 million developers. By working together, we continuously improve platform security. However, as the threat landscape evolves, so must our program. In this Q&A, we address common questions about recent changes, submission quality, and the role of AI in research.
- Why does GitHub invest in a bug bounty program?
- What challenges is the program facing?
- How is GitHub raising the bar on submissions?
- What makes a strong bug bounty submission?
- Why is a working proof of concept so important?
- How should researchers handle scope and ineligible findings?
- What is GitHub’s stance on AI in security research?
Why does GitHub invest in a bug bounty program?
GitHub views the security research community as one of its greatest assets. Each year, researchers worldwide help identify and fix vulnerabilities, making the platform safer for over 180 million developers. The bug bounty program is built on the belief that collaboration with external experts is one of the most effective ways to improve security. We remain deeply committed to this partnership because it brings diverse perspectives and cutting-edge techniques to our defense. By incentivizing responsible disclosure, we not only catch issues early but also foster a culture of shared responsibility. The program is a cornerstone of our security strategy, and we invest in it continuously to adapt to new challenges and maintain trust with our users.
What challenges is the program facing?
Over the past year, submission volume across the industry has grown dramatically. New tools, including AI, have lowered the barrier to entry for security research. While more people exploring attack surfaces is generally positive, we've seen a sharp increase in low-quality reports. These include submissions without proof of concept, theoretical attacks that cannot be demonstrated, and findings already listed as ineligible. This trend is not unique to GitHub; many programs face similar noise. Some have even shut down entirely. We don't want that. Instead, we are investing in making our program better—by raising standards and providing clearer guidance to researchers.
How is GitHub raising the bar on submissions?
To maintain program effectiveness, GitHub is tightening evaluation criteria. Going forward, reports will be assessed more strictly. We require a working proof of concept that demonstrates real security impact—not just a theoretical possibility. Researchers must also be aware of our scope and ineligible findings list before submitting. Reports that violate these guidelines will be closed as Not Applicable, which can affect a researcher's HackerOne Signal and reputation. Additionally, we expect validation before submission: whether using scanners, static analysis, or AI assistants, researchers must manually confirm that findings are not false positives. This reduces noise and ensures that our team can focus on genuine vulnerabilities.
What makes a strong bug bounty submission?
A strong submission meets three key criteria:
- Working proof of concept with demonstrated impact: Show us exactly what an attacker can achieve, not just describe it. Provide a concrete exploit that crosses a real security boundary.
- Awareness of scope and ineligible findings: Before submitting, review the program scope and ineligible list. Common exclusions include DMARC/SPF/DKIM configuration, user enumeration, or missing security headers without a demonstrated attack path.
- Validation before submission: Manually verify that your tool's output is a true positive. A false positive that's been caught beforehand saves everyone's time; one that hasn't is just noise.
Why is a working proof of concept so important?
A proof of concept is the foundation of a credible bug report. It moves the finding from theoretical speculation to demonstrable risk. Without it, the report is incomplete—it's essentially saying "this could lead to…" without proving it does. GitHub wants to see the actual boundary that can be crossed and the concrete impact on users or systems. A working PoC helps our team understand the severity, reproduce the issue, and prioritize fixes. It also shows that the researcher has invested the effort to validate their discovery. In a high-volume environment, PoCs separate genuine insights from noise, allowing us to focus on what truly matters for security.
How should researchers handle scope and ineligible findings?
Before submitting any report, researchers must carefully review GitHub's bug bounty scope and list of ineligible findings. This is not just a recommendation—it's a requirement. Submissions that fall under known ineligible categories—such as DMARC/SPF/DKIM configuration issues, user enumeration, or missing security headers without a demonstrated attack path—will be closed as "Not Applicable." This classification can negatively impact a researcher's HackerOne Signal score and reputation. To avoid this, take the time to understand what we do and do not accept. If you're unsure, look at existing publicly disclosed reports for guidance. Staying within scope shows professionalism and increases your chances of a timely and positive response.
What is GitHub’s stance on AI in security research?
GitHub welcomes the use of AI tools in security research. We believe AI is a force multiplier that can help researchers find vulnerabilities more efficiently. However, with great power comes great responsibility. Researchers must still validate every output from AI models before submission. AI can generate false positives or suggest attacks that aren't feasible. Relying solely on automated output without manual verification leads to noise that wastes everyone's time. Our policy is clear: use AI to augment your skills, not replace them. As long as you manually confirm the impact and follow our submission criteria, AI-assisted research is fully supported and encouraged within our bug bounty program.
Related Discussions