GitHub has made some changes to its bug bounty program, allowing researchers to report bugs with less legal risk. Furthermore, the Microsoft-owned open code-hosting repository has removed the upper cap on bounty payouts.

For researchers who find critical bugs, GitHub would previously pay between $20,000 and $30,000. Hardly a poor sum, but not significant considering the damage some bugs can cause. The company says it will now reward “significantly more for truly cutting-edge research”.

The move is part of a revamp of the site’s security bug bounty setup, which is now half a decade old. GitHub’s refresh includes better rewards and legal protection for hackers.

Smaller rewards have also been increased. GitHub now rewards between $10,000 and $20,000 for high-severity bugs, between $4,000 and $10,000 for medium-severity, and between $617 and $2,000 for low-severity bugs.

“We regularly assess our reward amounts against our industry peers. We also recognize that finding higher-severity vulnerabilities in GitHub’s products is becoming increasingly difficult for researchers and they should be rewarded for their efforts. That’s why we’ve increased our reward amounts at all levels,” said GitHub’s Phil Turnbull in a blog post.

Product-related rewards have been adjusted too. All first-party services within GitHub.com are now available for rewards. This includes branches such as GitHub Jobs, GitHub Learning Lab, and GitHub Education. The company’s Enterprise Cloud service is also included in the bug bounty program.

Legal Risks

Previously, if a security research violated the company’s terms when looking for a bug, they could face some legal risks. GitHub says it has now relaxed some of that framework by creating a Legal Safe Harbor part of its policy.

Legal Safe Harbor protects researchers from violating terms if what they are doing is specifically for seeking bugs.

“To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good-faith violations of this policy,” GitHub’s safe-harbor terms read.

“We consider security research and vulnerability disclosure activities conducted consistent with this policy to be ‘authorized’ conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this bug-bounty program’s scope.”