February 2020 marked this sixth year of GitHub's Security Bug Bounty Program. The program has been an overwhelming success for GitHub, its customers, and the researcher community. While GitHub celebrated its achievements so far in a recent blog post announcement, it won't be complacent. GitHub has bold plans for the program in 2020.
GitHub recently launched and will continue to invest in the GitHub Security Lab bounty program. The point of this program is to incentivize researchers. Researchers are key to keeping open source software secure, and they have already played a major role in the success of GitHub's and other bug bounty programs. Specifically, the program offers rewards for researchers who write CodeQL queries that uncover entire vulnerability classes. In turn, the entire community can use those queries for their own projects. The goal: removing vulnerabilities at scale.
Additionally, GitHub will start assigning CVEs to bounty submissions that impact GitHub Enterprise Server. This should help GitHub transparently communicate the state of its software to its customers. GitHub also pitches the move as yet another opportunity to celebrate researchers.
To check out all of GitHub's plans, and past accomplishments, check out the blog post announcement. If you want to get involved, visit the Security Bug Bounty site.