The security research community stands as one of GitHub's most valuable allies. Each year, researchers globally help uncover and patch vulnerabilities, strengthening the platform for over 180 million developers. Our bug bounty program is built on the belief that partnering with external researchers is among the most effective security strategies, and we remain fully dedicated to this approach.
However, like all bug bounty initiatives, we must evolve with the changing landscape. We want to share our observations, the steps we're taking, and our perspective on the security boundaries of a platform like GitHub.
The Surge in Submissions
Over the past year, the number of submissions industry-wide has skyrocketed. New tools, including artificial intelligence, have lowered the entry barrier for security research—a largely positive development. More people exploring attack surfaces increases the chance of finding genuine issues.
Yet, alongside legitimate reports, we've witnessed a dramatic rise in submissions lacking real security impact. These include reports without proof of concept, theoretical scenarios that fail scrutiny, and findings already listed in our published ineligible categories. This challenge is not unique to GitHub; many programs face the same issue, and some have even shut down entirely.
We have no intention of closing our program. Instead, we're investing in making it better.
Defining a Strong Submission
We are raising the bar for what constitutes a complete submission. Moving forward, reports will be assessed more rigorously against these criteria:
Working Proof of Concept with Demonstrated Impact
Provide a working proof of concept that shows real exploitation and concrete security impact. Don't just describe what could happen—show us what an attacker can achieve. Demonstrate a crossed boundary, not merely a theoretical one. If your report says "this could lead to..." without proving it does, it's incomplete.
Awareness of Scope and Ineligible Findings
Before submitting, review our scope and ineligible findings list. Reports covering known excluded categories—such as DMARC/SPF/DKIM configurations, user enumeration, missing security headers without an attack path, and others—will be closed as Not Applicable. This action may affect your HackerOne Signal and reputation.
Validation Before Submission
Regardless of the tools used (scanners, static analysis, AI assistants), validate the output before submitting. A false positive that has been manually reviewed is caught before it wastes anyone's time. One that hasn't is simply noise.
Welcoming AI in Security Research
We want to be clear: we have no objection to researchers using AI tools. AI is a powerful force for good in security research, enabling more creative and thorough investigations. We encourage its responsible use, as long as researchers confirm findings independently before reporting.
By embracing quality over quantity, we aim to foster a more effective partnership with the research community, ensuring that every report contributes meaningfully to platform security.