According to foreign media reports, last year, GitHub paid a total of $166495 to security researchers, who reported system problems and vulnerabilities they found for GitHub, a four-year "vulnerability reward" project. In 2016, GitHub paid a total of $817000, but last year's total spending has clearly more than doubled, almost equivalent to the total expenditure of the previous three years ($177000). In 2014 and 2015, they paid a total of $953000 in bonuses.

In 2017, GitHub received a total of 840 vulnerability reports, but only 15% (about 121) eventually solved the problem and received a bonus. In 2016, GitHub received a total of 795 vulnerability reports, of which only 73 were awarded, of which only 48 valid reports were listed on the home page of the vulnerability reward program.

The increase in the number of valid reports contributed to the increase in total spending and led GitHub to reassess its payment structure last October. As a result, the bonus doubled, with a minimum bonus of $555 and a maximum bonus of $20000.

GitHub's Greg Ose points out that with the growing number of projects, programs and researchers involved, last year was by far the most bounty paid. Not only that, they also introduced GitHub Enterprise into the vulnerability reward program, allowing researchers to find vulnerabilities in undisclosed areas on the GitHub.com platform or specific to an enterprise deployment. Ose said:

"at the beginning of last year, a lot of vulnerability reports related to our enterprise certification method, which prompted us to pay attention to this issue internally, and we are also studying how to get researchers to pay attention to this feature."

In addition, Ose said GitHub has released its first donation from researchers, an initiative they have been watching for a long time. This work pays a fixed amount for researchers who mine specific features or areas of the application. Of course, anyone else who discovers a loophole can also be rewarded through the loophole reward program.

Last year, GitHub also launched a private vulnerability patch service that allows users to limit the impact of production vulnerabilities. Not only that, they have also made internal improvements to classify vulnerabilities and submit fixes more effectively, and plan to further improve the process this year.

Now, GitHub hopes to further expand its 2017 achievements and introduce more private awards and research grants to attract attention before and after the code is released to the public. The company also plans to launch an additional incentive scheme later this year. Ose concluded:

"given the success of the vulnerability reward program, we are now considering how to expand its scope to provide more help to our production services while protecting the entire GitHub ecosystem. We look forward to the next step of work, and will classify and correct the submitted vulnerabilities this year. "