GitHub

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
GitHub CSP OTHER critical
While content-injection vulnerabilities are already in-scope for our [GitHub.com bounty](https://bounty.github.com/targets/github.html), we also accept bounty reports for novel [CSP](https://developers.google.com/web/fundamentals/security/csp/) bypasses affecting GitHub.com, even if they do not include a content-injection vulnerability. Using an intercepting proxy or your browser's developer tools, experiment with injecting content into the DOM. See if you can execute arbitrary JavaScript or exfiltrate sensitive page contents such as CSRF tokens. Reports of other previously-unknown impacts from content-injection will also be considered. Previously identified attacks are not eligible for reward (we've put a lot of thought into CSP bypasses already). You can find a discussion of known attacks and our attempts to mitigate them [here](http://githubengineering.com/githubs-csp-journey/). Attacks against CSP features not used on GitHub.com, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn't contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you've found something cool and novel, report it!
GitHub Enterprise HARDWARE critical
GitHub Enterprise is the on-premises version of GitHub. GitHub Enterprise shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies. GitHub Enterprise adds a number of features for enterprise infrastructures. This includes additional authentication backends and clustering options. Below is a subset of features unique to GitHub Enterprise that might be interesting to investigate. - Instance-wide authentication ([_private mode_](https://help.github.com/enterprise/admin/guides/installation/enabling-private-mode/)) - External authentication backends including [CAS, LDAP, and SAML](https://help.github.com/enterprise/admin/guides/user-management/) - In-app administration of the instance using a site administrator control panel - [User, organization, and repository migration](https://help.github.com/enterprise/admin/guides/migrations/) - [Web-based management console](https://help.github.com/enterprise/admin/guides/installation/web-based-management-console/) and [SSH access](https://help.github.com/enterprise/admin/guides/installation/administrative-shell-ssh-access/) to configure and update the instance - [Pre-receive hook scripts](https://help.github.com/enterprise/admin/guides/developer-workflow/creating-a-pre-receive-hook-script/) Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, a vulnerability in a service that is intended to be restricted from external access would have a lower reward than one within the core GitHub Enterprise web interface. You can request a trial of GitHub Enterprise for security testing at [https://enterprise.github.com/bounty](https://enterprise.github.com/bounty).
GitHub.com URL high high high critical
GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies. Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is \<2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at \>60% of our traffic, will earn a much larger reward. You can find the app at [https://github.com](https://github.com "https://github.com").
Other Applications DOWNLOADABLE_EXECUTABLES none low none low
GitHub builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the [Open bounties](https://bounty.github.com/index.html#open-bounties) are not currently eligible for cash rewards.
api.github.com URL high high high critical
The GitHub API is used by thousands of developers and applications to programatically interact with GitHub data and services. Because so much of the GitHub.com functionality is exposed in the API, security has always been a high priority. Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. You can find the app at [https://api.github.com](https://api.github.com "https://api.github.com") and can find the API documentation at [https://developer.github.com](https://developer.github.com "https://developer.github.com").
gist.github.com URL medium medium medium critical
Gist is one of the first products launched by GitHub after GitHub.com. It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies. Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is \<2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at \>60% of our traffic, will earn a much larger reward. You can find the app at [https://gist.github.com](https://gist.github.com "https://gist.github.com").
*.github.net URL critical
Subdomains under `*.github.net` run services for our internal production network. Many of these services are not accessible from outside our internal network. Not all subdomains are [in-scope](https://bounty.github.com/#scope)
*.githubapp.com URL critical
Subdomains under `*.githubapp.com` provide a number of internal services to GitHub employees. Not all subdomains are [in-scope](https://bounty.github.com/#scope)
GitHub Classroom Assistant DOWNLOADABLE_EXECUTABLES critical
The [GitHub Classroom Assistant application](https://classroom.github.com/assistant) is currently out-of-scope.
GitHub Desktop DOWNLOADABLE_EXECUTABLES critical
[GitHub Desktop](https://desktop.github.com) is an open-source [Electron](https://electronjs.org)-based app for working with your GitHub.com or GitHub Enterprise account. Only the following vulnerabilities are eligible for reward: * Remote code execution via protocol handlers such as `x-github-client://` * Code execution without user interaction when cloning or fetching malicious repositories
GitHub Enterprise Cloud OTHER critical
GitHub Enterprise Cloud is the cloud-hosted version of GitHub Enterprise. It is designed for teams who want advanced authentication and permissions without managing infrastructure. More information about GitHub Enterprise Cloud is available at https://github.com/enterprise
GitHub Enterprise Server HARDWARE critical
GitHub Enterprise Server is the on-premise version of GitHub Enterprise. GitHub Enterprise Server shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies. GitHub Enterprise Server adds a number of features for enterprise infrastructures, including additional authentication backends and clustering options. Below is a subset of features unique to GitHub Enterprise that might be interesting to investigate. * Bypassing instance-wide authentication, also known as [*private mode*](https://help.github.com/enterprise/admin/guides/installation/enabling-private-mode/) * External authentication backends including [CAS, LDAP, and SAML](https://help.github.com/enterprise/admin/guides/user-management/) * In-app administration of the instance using a site administrator control panel * [User, organization, and repository migration](https://help.github.com/enterprise/admin/guides/migrations/) * [Web-based management console](https://help.github.com/enterprise/admin/guides/installation/web-based-management-console/) and [SSH access](https://help.github.com/enterprise/admin/guides/installation/administrative-shell-ssh-access/) to configure and update the instance * [Pre-receive hook scripts](https://help.github.com/enterprise/admin/guides/developer-workflow/creating-a-pre-receive-hook-script/) * [GitHub Connect](https://help.github.com/enterprise/admin/guides/developer-workflow/connecting-github-enterprise-server-to-github-com/) allows users to share specific features and workflows between your GitHub Enterprise Server instance and a GitHub.com organization on GitHub Enterprise Cloud. * See [our documentation](https://help.github.com/enterprise/admin/guides/installation/network-ports-to-open/) for a list of services typically open on an instance. You can request a trial of GitHub Enterprise Server for security testing at [https://enterprise.github.com/bounty](https://enterprise.github.com/bounty).
GitHub Pages OTHER critical
GitHub Pages is our static site hosting service designed to host your personal, organization, or project pages directly from a GitHub repository. It uses the Jekyll static site generator and officially supported themes are are developed in the pages-themes organization. GitHub Pages support custom domains and can be secured with HTTPS. Eligible submissions include: * Executing arbitrary code during the build process, either via a custom Jekyll theme or vulnerabilities in the command-line Git tools when cloning or checking-out repositories * Reading arbitrary files during the build process which discloses sensitive information, for example by misusing path traversal or symbolic links in a custom Jekyll theme **Individual GitHub Pages sites hosted under `*.github.io` are out-of-scope.**
GitHub Production Credentials OTHER critical
GitHub uses a mix of our own physical infrastructure, cloud-platforms and third-party services to keep everything running smoothly. Keeping credentials and access tokens secure for these services is paramount. These include: * Credentials allowing access to package managers, cloud services and GitHub personal access tokens. * Credentials accidentally made public in repositories. * Credentials exposed by a third-party service. Please review our [guidance for handling PII](https://bounty.github.com/#handling_personally_identifiable_information_pii) before investigating credentials. Reward amount is based on the impact of the leaked credential which will be determined by the GitHub Security team.
classroom.github.com URL critical
education.github.com URL critical
GitHub Education offers a variety of tools to help educators and researchers work more effectively inside and outside of the classroom. More details are available at https://education.github.com/. GitHub Classroom is [open-source](https://github.com/education/classroom)
jobs.github.com URL critical
[GitHub Jobs](https://jobs.github.com/) is a great place to attract the best technical talent for your company’s open software development positions
lab.github.com URL critical
Get the skills you need without leaving GitHub. GitHub Learning Lab takes you through a series of fun and practical projects, sharing helpful feedback along the way.
Dependabot OTHER high high high critical
Dependabot powers GitHub's [automated security fixes](https://help.github.com/en/articles/configuring-automated-security-fixes). This feature allows GitHub users to automatically update vulnerable dependencies. The core logic of Dependabot is [open-source](https://github.com/dependabot/dependabot-core) and an [overview of the architecture](https://github.com/dependabot/dependabot-core#architecture) is available. * Execution environment breakout attacks, providing access to private networked resources or other users' data * Security issues in [`dependabot-core`](https://github.com/dependabot/dependabot-core)
LGTM OTHER critical
LGTM is a code analysis platform for development teams to identify vulnerabilities early and prevent them from reaching production. It uses [CodeQL](https://semmle.com/ql) which works by retrieving source code from version control systems, building it with custom tooling, and creating analysis results. LGTM uses Docker containers to isolate the build and analysis environment from the rest of the infrastructure. By nature this environment permits arbitrary code execution by any registered user, so the quality of isolation is a critical part of the security model. The public site includes two user types (user and admin user) as well as anonymous access. * [`lgtm-com.pentesting.semmle.net`](lgtm-com.pentesting.semmle.net) is a dedicated instance of LGTM for your research. * [`backend-dot-lgtm-penetration-testing.appspot.com`](backend-dot-lgtm-penetration-testing.appspot.com) is used for triggering automated tasks from other parts of the LGTM system. It does not provide a user interface. * [`downloads.lgtm.com`](downloads.lgtm.com)
semmle.com URL critical
Our main domain for Semmle and LGTM services. All subdomains under semmle.com are in-scope **except**: * dev.semmle.com * git.semmle.com * jira.semmle.com * wiki.semmle.com
semmle.net URL critical
Our domain for non-production Semmle services. All subdomains under `semmle.net` are in-scope.
GitHub CLI DOWNLOADABLE_EXECUTABLES critical
[GitHub CLI](https://cli.github.com) is an open source command line tool for working with your GitHub.com account. It is built with Golang, and performs several GitHub.com commands from your terminal, such as viewing, commenting and performing other actions on issues and PRs.
GitHub for mobile OTHER critical
Bring GitHub collaboration tools to your small screens with [GitHub for mobile](https://github.com/mobile).

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.github.io URL critical
GitHub pages sites are not in scope.
*.githubapp.com URL critical
Occasionally, exceptional reports are rewarded at our discretion on a case by case basis.
Atom DOWNLOADABLE_EXECUTABLES none
Occasionally, exceptional reports are rewarded at our discretion on a case by case basis. [https://atom.io](https://atom.io "https://atom.io")
Electron DOWNLOADABLE_EXECUTABLES none
Electron vulnerabilities which do not affect Atom or GitHub Desktop are out-of-scope and should be [reported directly](https://electronjs.org/community) to the Electron developers.
GitHub Desktop DOWNLOADABLE_EXECUTABLES critical
Occasionally, exceptional reports are rewarded at our discretion on a case by case basis. [https://desktop.github.com](https://desktop.github.com "https://desktop.github.com")
classroom.github.com URL critical
Occasionally, exceptional reports are rewarded at our discretion on a case by case basis. [https://classroom.github.com](https://classroom.github.com "https://classroom.github.com")
enterprise.github.com URL critical
enterprise.github.com is commonly confused with the [GitHub Enterprise product](https://github.com/pricing/business-enterprise) which is an on-premise instance of GitHub. Occasionally, exceptional reports are rewarded at our discretion on a case by case basis.
git.io URL none
The [git.io](https://git.io) URL shortener is out-of-scope.
spectrum.chat URL none
[Spectrum](https://spectrum.chat) is currently out-of-scope.
github.blog URL none
[github.blog](https://github.blog) is out-of-scope.
GitHub Education Community forum OTHER none
The [GitHub Education Community forum](https://education.github.com/forum) is not in-scope and ineligible for rewards.
blog.github.com URL none
The GitHub Blog is not in-scope and ineligible for rewards.
community.github.com URL none
The GitHub Community forum is not in-scope and ineligible for rewards.
education.github.com/forum URL none
The [GitHub Education Community forum](https://education.github.com/forum) is not in-scope and ineligible for rewards.
shop.github.com URL none
The GitHub Shop is not in-scope and ineligible for rewards.
GitHub Classroom Assistant DOWNLOADABLE_EXECUTABLES none
The [GitHub Classroom Assistant application](https://classroom.github.com/assistant) is currently out-of-scope.