GitHub Tightens Bug Bounty Rules to Combat Flood of Low-Quality Submissions
GitHub is raising the bar for its bug bounty program, imposing stricter validation requirements after a surge in low-quality submissions threatened to overwhelm the system. The platform, which serves over 180 million developers, said it will now require working proof-of-concept exploits before any report is accepted. Ineligible findings will be closed as “Not Applicable,” potentially harming researchers’ HackerOne reputation.
“We’re seeing a sharp increase in submissions that don’t demonstrate real security impact,” a GitHub security spokesperson told reporters. “This isn’t unique to us—programs across the industry are grappling with the same challenge, and some have shut down entirely.” GitHub stressed it does not plan to end its program but instead aims to invest in making it more effective.
Background
GitHub’s bug bounty program has long relied on external researchers to find and fix vulnerabilities. Over the past year, however, submission volume has exploded—partly due to new AI tools that lower the barrier to entry. While more researchers mean more potential discoveries, many reports lack a proof of concept, describe theoretical attacks that can’t be replicated, or involve issues already listed as out of scope.
“More people exploring attack surfaces means more opportunities to find real issues, but it also generates noise,” the spokesperson explained. The company observed that some programs have shut down entirely under the weight of low-quality submissions, a fate GitHub wants to avoid.
What This Means
For security researchers, the changes are immediate and significant. Submissions must now include a working proof of concept that demonstrates concrete security impact—not just a theoretical risk. Reports will be evaluated more strictly against three criteria: demonstrated exploitation, awareness of scope and ineligible findings, and validation before submission.
Researchers using AI or automated scanners must manually verify their outputs before filing a report. “A false positive that’s been manually reviewed is caught before it wastes anyone’s time. One that hasn’t is just noise,” the spokesperson noted. GitHub explicitly supports the use of AI in security research, calling it “a force for good.”
Failure to comply could harm a researcher’s HackerOne Signal and reputation, as ineligible reports will be closed as “Not Applicable.” The new policy aims to reduce noise while ensuring legitimate vulnerabilities are still rewarded. GitHub emphasized that collaboration with external researchers remains a cornerstone of its security strategy.
Further reading
Related Articles
- How to Achieve High-Fidelity AI Vulnerability Detection: Lessons from Mozilla's Mythos Integration
- The Retracted Instructure Breach Story: 10 Key Takeaways
- How to Detect and Avoid Fraudulent Call History Apps on Google Play
- Credential-Stealing Malware Infects SAP-Focused npm Packages in Targeted Supply Chain Attack
- 10 Critical Facts About the Microsoft Exchange Zero-Day Vulnerability Exploited in Attacks
- Unmasking Silver Fox: New ABCDoor Backdoor Targets Tax Authorities in Russia and India
- Critical Linux Kernel Flaw 'Fragnesia' Opens Door to Full System Takeover
- Securing Exim Against the Dead.Letter Vulnerability: A Complete Remediation Guide