GitHub scales back bug bounties, reminds users security is their responsibility too
Summary
GitHub is modifying its bug bounty program, shifting from cash rewards to swag for low-impact vulnerability reports and emphasizing user responsibility for security. The platform has seen a surge in submissions, partly due to AI tools, leading to a need to filter out less significant reports and focus on genuine security risks.
IFF Assessment
This is good news for defenders as GitHub is adjusting its bug bounty program to focus on higher-impact vulnerabilities and clearly defining user responsibilities, which can lead to more efficient security efforts.
Defender Context
This change by GitHub highlights a growing trend of security platforms re-evaluating their bug bounty programs in the face of increased noise, often exacerbated by AI. Defenders should be aware that many platforms may start to de-prioritize low-impact reports, encouraging researchers to focus on significant vulnerabilities and for users to take more direct ownership of their security posture.