GitHub Paid Out Over $1.5 Million via Bug Bounty Program Since 2016


According to the company, in 2020, it paid out over half a million dollars for more than 200 vulnerabilities affecting its products and services. The amount is roughly the same as in the previous year.

GitHub said it received more than 1,000 submissions through its public and private bug bounty programs, and claimed that its response times improved by 4 hours compared to 2019 — the average in 2020 was 13 hours to the first response.

The company also claims to have validated and triaged vulnerability reports within 24 hours on average, and rewards were paid out 24 days after the report was submitted.