GitHub is updating its bug bounty program to address a surge in low-quality submissions driven partly by AI tools. Key changes include stricter requirements for working proof-of-concept exploits, clearer shared responsibility boundaries (e.g., cloning malicious repos is user responsibility), and replacing bounty payouts with swag for low-risk findings that don't demonstrate significant security impact. GitHub explicitly welcomes AI-assisted research but requires human validation before submission. The post also clarifies which scenarios fall under shared responsibility versus genuine platform security bypasses, and encourages researchers to prioritize depth over volume.
Table of contents
The volume problemWhat makes a strong submissionWe welcome AI in security researchUnderstanding GitHub’s security model: Shared responsibilityWhat this means for researchersChanges to how we reward low-risk findingsLooking aheadTags:Written bySort: