GitHub raises bug bounty payouts, focuses on quality over quantity

GitHub has overhauled its bug bounty program to prioritize high-quality vulnerability reports, clarify shared security responsibilities, and adjust rewards for low-risk findings [GitHub Blog]. The changes take effect immediately and aim to reduce noise while improving detection of critical flaws.

Submissions will now be assessed on impact and reproducibility, with stricter criteria for validity. GitHub has formalized boundaries between its infrastructure and user-managed components, specifying that misconfigurations in user-owned repositories or actions workflows won’t qualify for rewards [GitHub Blog]. This shift targets clearer expectations for researchers and reduces disputes over scope.

Rewards for low-severity issues are being recalibrated to avoid incentivizing trivial findings. Meanwhile, the average payout has risen 30% year-over-year, with total rewards surpassing $1 million since the program’s launch. One critical flaw in repository permissions—reported by a researcher in 2023—triggered a top-tier payout, underscoring the value of high-impact submissions.

The platform says the changes reflect lessons from years of processing reports, where duplicate or low-effort submissions strained review capacity. By focusing on quality, GitHub aims to strengthen trust with skilled researchers while filtering out noise.

Why it matters: — Higher rewards and stricter standards push researchers toward meaningful vulnerabilities, not edge cases. — Clearer scope reduces friction between GitHub and the security community, especially around user-controlled configurations. — A leaner, more focused bounty program could become a model for other dev tools facing similar signal-to-noise challenges.