Instruction: Subdomains under `*.github.net` run services for our internal production network. Many of these services are not accessible from outside our internal network. Not all subdomains are [in-scope](https://bounty.github.com/#scope)
Integrity requirements:
Max severity: critical
Asset identifier: *.githubapp.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Subdomains under `*.githubapp.com` provide a number of internal services to GitHub employees. Not all subdomains are [in-scope](https://bounty.github.com/#scope)
Integrity requirements:
Max severity: critical
Asset identifier: *.githubusercontent.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: Dependabot
Asset type: OTHER
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Dependabot powers GitHub's [automated security fixes](https://help.github.com/en/articles/configuring-automated-security-fixes). This feature allows GitHub users to automatically update vulnerable dependencies. The core logic of Dependabot is [open-source](https://github.com/dependabot/dependabot-core) and an [overview of the architecture](https://github.com/dependabot/dependabot-core#architecture) is available.
* Execution environment breakout attacks, providing access to private networked resources or other users' data
* Security issues in [`dependabot-core`](https://github.com/dependabot/dependabot-core)
Integrity requirements: high
Max severity: critical
Asset identifier: GitHub CLI
Asset type: DOWNLOADABLE_EXECUTABLES
Availability requirement: medium
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: [GitHub CLI](https://cli.github.com) is an open source command line tool for working with your GitHub.com account. It is built with Golang, and performs several GitHub.com commands from your terminal, such as viewing, commenting and performing other actions on issues and PRs.
Integrity requirements: low
Max severity: high
Asset identifier: GitHub CSP
Asset type: OTHER
Availability requirement: none
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: While content-injection vulnerabilities are already in-scope for our [GitHub.com bounty](https://bounty.github.com/targets/github.html), we also accept bounty reports for novel [CSP](https://developers.google.com/web/fundamentals/security/csp/) bypasses affecting GitHub.com, even if they do not include a content-injection vulnerability. Using an intercepting proxy or your browser's developer tools, experiment with injecting content into the DOM. See if you can execute arbitrary JavaScript or exfiltrate sensitive page contents such as CSRF tokens. Reports of other previously-unknown impacts from content-injection will also be considered.
Previously identified attacks are not eligible for reward (we've put a lot of thought into CSP bypasses already). You can find a discussion of known attacks and our attempts to mitigate them [here](http://githubengineering.com/githubs-csp-journey/). Attacks against CSP features not used on GitHub.com, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn't contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you've found something cool and novel, report it!
Integrity requirements: none
Max severity: high
Asset identifier: GitHub Desktop
Asset type: DOWNLOADABLE_EXECUTABLES
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: [GitHub Desktop](https://desktop.github.com) is an open-source [Electron](https://electronjs.org)-based app for working with your GitHub.com or GitHub Enterprise account. Only the following vulnerabilities are eligible for reward:
* Remote code execution via protocol handlers such as `x-github-client://`
* Code execution without user interaction when cloning or fetching malicious repositories
Integrity requirements:
Max severity: critical
Asset identifier: GitHub Enterprise Cloud
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: GitHub Enterprise Cloud is the cloud-hosted version of GitHub Enterprise. It is designed for teams who want advanced authentication and permissions without managing infrastructure. More information about GitHub Enterprise Cloud is available at https://github.com/enterprise
Integrity requirements:
Max severity: critical
Asset identifier: GitHub Enterprise Server
Asset type: HARDWARE
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: GitHub Enterprise Server is the on-premise version of GitHub Enterprise. GitHub Enterprise Server shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies. GitHub Enterprise Server adds a number of features for enterprise infrastructures, including additional authentication backends and clustering options.
Below is a subset of features unique to GitHub Enterprise that might be interesting to investigate.
* Bypassing instance-wide authentication, also known as [*private mode*](https://help.github.com/enterprise/admin/guides/installation/enabling-private-mode/)
* External authentication backends including [CAS, LDAP, and SAML](https://help.github.com/enterprise/admin/guides/user-management/)
* In-app administration of the instance using a site administrator control panel
* [User, organization, and repository migration](https://help.github.com/enterprise/admin/guides/migrations/)
* [Web-based management console](https://help.github.com/enterprise/admin/guides/installation/web-based-management-console/) and [SSH access](https://help.github.com/enterprise/admin/guides/installation/administrative-shell-ssh-access/) to configure and update the instance
* [Pre-receive hook scripts](https://help.github.com/enterprise/admin/guides/developer-workflow/creating-a-pre-receive-hook-script/)
* [GitHub Connect](https://help.github.com/enterprise/admin/guides/developer-workflow/connecting-github-enterprise-server-to-github-com/) allows users to share specific features and workflows between your GitHub Enterprise Server instance and a GitHub.com organization on GitHub Enterprise Cloud.
* See [our documentation](https://help.github.com/enterprise/admin/guides/installation/network-ports-to-open/) for a list of services typically open on an instance.
You can request a trial of GitHub Enterprise Server for security testing at [https://enterprise.github.com/bounty](https://enterprise.github.com/bounty).
Integrity requirements:
Max severity: critical
Asset identifier: GitHub Pages
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: GitHub Pages is our static site hosting service designed to host your personal, organization, or project pages directly from a GitHub repository. It uses the Jekyll static site generator and officially supported themes are are developed in the pages-themes organization. GitHub Pages support custom domains and can be secured with HTTPS. Eligible submissions include:
* Executing arbitrary code during the build process, either via a custom Jekyll theme or vulnerabilities in the command-line Git tools when cloning or checking-out repositories
* Reading arbitrary files during the build process which discloses sensitive information, for example by misusing path traversal or symbolic links in a custom Jekyll theme
**Individual GitHub Pages sites hosted under `*.github.io` are out-of-scope.**
Integrity requirements:
Max severity: critical
Asset identifier: GitHub Production Credentials
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: GitHub, Inc. uses a mix of our own physical infrastructure, cloud platforms and third-party services to keep everything running smoothly. Keeping credentials and access tokens secure for these resources is paramount to the security of our employees and users.
* Credentials allowing access to cloud services, package managers and other resources used by GitHub, Inc employees
* Credentials accidentally made public in repositories which allow access to GitHub, Inc resources. This does *not* include credentials exposed by our users and credentials which do not allow access to GitHub, Inc resources.
* Credentials exposed by third-party services which allow access to GitHub, Inc resources
Please review our [guidance for handling PII](https://bounty.github.com/#handling_personally_identifiable_information_pii) before investigating credentials allowing access to GitHub, Inc resources. The reward amount is based on the impact of the leaked credential which will be determined by the GitHub Security team.
Integrity requirements:
Max severity: critical
Asset identifier: GitHub for mobile
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Bring GitHub collaboration tools to your small screens with [GitHub for mobile](https://github.com/mobile).
Integrity requirements:
Max severity: critical
Asset identifier: api.github.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: The GitHub API is used by thousands of developers and applications to programatically interact with GitHub data and services. Because so much of the GitHub.com functionality is exposed in the API, security has always been a high priority.
Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors.
You can find the app at [https://api.github.com](https://api.github.com "https://api.github.com") and can find the API documentation at [https://developer.github.com](https://developer.github.com "https://developer.github.com").
Integrity requirements: high
Max severity: critical
Asset identifier: classroom.github.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: education.github.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: GitHub Education offers a variety of tools to help educators and researchers work more effectively inside and outside of the classroom. More details are available at https://education.github.com/. GitHub Classroom is [open-source](https://github.com/education/classroom)
Integrity requirements:
Max severity: critical
Asset identifier: gist.github.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: Gist is one of the first products launched by GitHub after GitHub.com. It is a service for sharing snippets of code or other text content. Gist is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is \<2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at \>60% of our traffic, will earn a much larger reward.
You can find the app at [https://gist.github.com](https://gist.github.com "https://gist.github.com").
Integrity requirements: medium
Max severity: critical
Asset identifier: github.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: GitHub.com is our main web site. It is our most intricate application with a number of user inputs and access methods. GitHub.com is built on Ruby on Rails and leverages a number of Open Source technologies.
Rewards range from $555 up to $20,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is \<2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at \>60% of our traffic, will earn a much larger reward.
You can find the app at [https://github.com](https://github.com "https://github.com").
Integrity requirements: high
Max severity: critical
Asset identifier: npm CLI
Asset type: DOWNLOADABLE_EXECUTABLES
Availability requirement: medium
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: high
Asset identifier: npmjs.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the domain for npm’s public-facing websites. All subdomains under npmjs.com are in scope.
Integrity requirements:
Max severity: critical
Asset identifier: npmjs.org
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the domain for npm’s registry, public-facing databases, and APIs. All subdomains under npmjs.org are in scope.
