GitHub's bug bounty program has long been a cornerstone of its security strategy, leveraging the expertise of researchers worldwide to protect over 180 million developers. As the security landscape evolves, GitHub is adapting its program to maintain high-quality submissions and ensure continued collaboration with the research community. Below, we explore the key changes and principles behind this evolution.
Why is GitHub making changes to its bug bounty program?
GitHub is responding to a significant increase in submission volume across the industry, driven in part by new tools like AI that lower the barrier to entry for security research. While this growth has led to more opportunities to find real vulnerabilities, it has also brought a sharp rise in low-quality reports—those lacking proof of concept, presenting theoretical scenarios without real impact, or duplicating known ineligible findings. Rather than shutting down the program, as some organizations have done, GitHub is investing in raising the bar for submission quality. This approach ensures that valuable researcher time is focused on actionable vulnerabilities, maintaining the program's effectiveness and fairness for all participants.
What does a strong bug bounty submission look like now?
GitHub is enforcing stricter criteria for what constitutes a complete submission. A strong report must include a working proof of concept that demonstrates real security impact—showing what an attacker could actually achieve, not just speculating about potential risks. Researchers must also review the scope and ineligible findings list before submitting, as reports covering excluded categories (e.g., DMARC/SPF/DKIM configuration, user enumeration, missing security headers without a proven attack path) will be closed as Not Applicable and may affect the researcher's HackerOne Signal. Additionally, reports must be validated before submission, regardless of the tools used—be it scanners, static analysis, or AI assistants. Manual verification of findings prevents false positives from becoming noise.
How does GitHub view the use of AI in security research?
GitHub explicitly welcomes the use of AI tools in security research, recognizing them as a force for good that can help identify vulnerabilities more efficiently. However, the responsibility for validating AI-generated outputs lies with the researcher. Submissions that rely on AI without proper manual review—especially those that present unvalidated false positives—are not acceptable. By encouraging responsible AI use, GitHub aims to harness the benefits of automation while maintaining the integrity of the bug bounty program. Researchers are expected to treat AI outputs as starting points, not final answers, and to ensure that every submission demonstrates genuine security impact through thorough verification.
What happens if a researcher submits a low-quality report?
Submissions that do not meet GitHub's revised standards will be closed as Not Applicable. This includes reports without a working proof of concept, those based on theoretical attack scenarios that cannot be demonstrated, or those already covered by the ineligible list. Such closures can negatively impact a researcher's HackerOne Signal and reputation, potentially affecting their standing in other programs. GitHub emphasizes that this is not about penalizing researchers but about maintaining a high-quality, fair program for all. The goal is to encourage thorough research and thoughtful submissions, reducing noise and focusing on genuine security risks that can be acted upon.
Will GitHub ever shut down its bug bounty program?
GitHub states that it does not want to shut down its bug bounty program, even as other organizations have done so due to overwhelming low-quality submissions. Instead, GitHub is committed to investing in making the program better by raising standards and providing clear guidelines. The company views collaboration with external researchers as one of the most effective ways to improve security. By adapting to the changing landscape—such as increased volume from AI tools—GitHub aims to ensure the program remains sustainable and valuable. Researchers can expect ongoing support and transparent communication, with a focus on quality over quantity.
How can researchers ensure their submissions meet the new requirements?
Researchers should follow three key steps before submitting to GitHub's bug bounty program. First, develop a working proof of concept that demonstrates a concrete attack path and real security impact—avoid vague statements like “this could lead to…” without evidence. Second, review the scope and ineligible findings list carefully to avoid wasting time on excluded issues. Finally, validate all findings manually, regardless of the tools used, to filter out false positives and ensure the report is actionable. By adhering to these guidelines, researchers can maintain strong reputations and contribute meaningfully to GitHub's security. GitHub also encourages the use of AI tools but reminds researchers that ultimate validation is their responsibility.