Overview
GitHub's bug bounty program is a cornerstone of its security strategy, leveraging the global security research community to identify and fix vulnerabilities. With over 180 million developers relying on the platform, the program has evolved to address a surge in submission volume, including a rise in low-quality reports. This guide provides a detailed walkthrough of how to submit high-quality vulnerability reports that meet GitHub's updated standards, ensuring your contributions are impactful and valued.
Prerequisites
Before diving into submissions, ensure you have the following:
- HackerOne Account: GitHub's bug bounty program is hosted on HackerOne. Create an account if you don't have one.
- Basic Security Research Knowledge: Familiarity with common vulnerabilities (XSS, CSRF, SQLi, etc.) and web security concepts.
- Understanding of GitHub's Scope: Review the official program scope and ineligible findings list.
- Tools for Validation: While AI tools are welcome, you must validate all outputs manually. Have a testing environment ready.
- Proof of Concept Tools: Prepare to demonstrate vulnerabilities with working exploits, not just theoretical descriptions.
Step-by-Step Instructions for a Successful Submission
Step 1: Research and Reconnaissance
Start by thoroughly understanding GitHub's attack surface. Use reconnaissance techniques to identify potential weaknesses. Check the program scope to target in-scope domains and services. Avoid wasting time on out-of-scope areas.
Step 2: Identify a Vulnerability with Real Impact
Focus on vulnerabilities with demonstrable security impact. For example, an XSS that allows session hijacking or a path traversal that enables file read. Use scanners or AI tools to assist, but treat their outputs as starting points. Manually verify each finding.
Step 3: Develop a Working Proof of Concept (PoC)
Create a concrete PoC that shows the exploit in action. This should include step-by-step instructions, screenshots, videos, or payloads. GitHub expects you to show, not just tell. For instance, if you claim an authentication bypass, provide the exact request sequence that bypasses login.
- Include clear steps to reproduce: List the exact actions an attacker would take.
- Demonstrate impact: Show what an attacker can achieve (e.g., read sensitive data, execute commands).
- Provide supporting evidence: Screenshots or video recordings of the exploit.
Step 4: Validate Within Scope and Ineligible List
Before submitting, double-check that your finding is not already on GitHub's ineligible list. Common ineligible items include DMARC/SPF/DKIM misconfigurations, user enumeration via timing attacks, missing security headers without a complete attack chain, and self-XSS. If your report falls into these categories, it will be closed as Not Applicable, harming your HackerOne Signal.
Step 5: Manually Validate Your Findings
No matter what tools you used—scanners, static analysis, AI assistants—you must manually validate the output. A false positive that you catch before submission saves everyone time. If you submit noise, it reflects poorly on your reputation. Run your exploit multiple times to confirm consistency.
Step 6: Write a Clear, Concise Report
On HackerOne, craft a report that includes:
- Title: Brief and descriptive (e.g., "Stored XSS in Repository Readme").
- Vulnerability Type: Specify the class (e.g., Cross-Site Scripting, Server-Side Request Forgery).
- Impact: Clearly state what an attacker can achieve.
- Reproduction Steps: Numbered steps with exact requests, payloads, and expected results.
- Proof of Concept: Attach screenshots, videos, or code snippets.
- Additional Notes: Mention any assumptions or prerequisites.
Step 7: Submit and Engage Responsively
Submit your report via HackerOne. GitHub's team will triage it. Be prepared to answer questions or provide additional clarification. Respond promptly to maintain momentum. If your report is marked as duplicate or Informative, accept feedback gracefully and improve future submissions.
Common Mistakes to Avoid
Mistake 1: Submitting Without a Working PoC
Many researchers describe a vulnerability theoretically but fail to prove it works. Without a POC, GitHub will consider the report incomplete and likely close it as Informative. Always include a working exploit.
Mistake 2: Ignoring Scope and Ineligible List
Submitting findings that are explicitly out of scope or on the ineligible list wastes time. For example, reporting a DMARC issue that has no security impact will be rejected. Review the lists before each submission.
Mistake 3: Relying Solely on Automated Tools
Automated scanners and AI assistants can generate false positives. Submitting unverified scanner output is noise. Always manually verify each finding and provide context.
Mistake 4: Vague Impact Statements
Don't say "this could lead to XSS." Show that it does. GitHub wants clear evidence of a cross-boundary attack. If you say an attacker can read arbitrary files, demonstrate reading /etc/passwd.
Mistake 5: Poor Communication and Follow-Up
After submission, failing to respond to triage questions can delay or kill your report. Be proactive and professional in discussions.
Summary
GitHub's bug bounty program is adapting to rising submission volumes by emphasizing quality over quantity. To succeed, researchers must provide working proof of concepts, adhere to scope and ineligible lists, and manually validate all findings before submission. By following this guide, you'll increase your chances of bounties, build a strong HackerOne reputation, and contribute meaningfully to GitHub's security. Remember, AI tools are welcome but must be used as assistants, not crutches. Master these steps, and you'll be a valued partner in GitHub's security journey.