GitHub Bug Bounty

Scope

GitHub runs a number of services but only submissions under the following domains are eligible for rewards. Any GitHub-owned domains not listed below are not in scope, not eligible for rewards, and not covered by our legal safe harbor.

  • github.com

    • This is our main domain for hosting user-facing GitHub services. All subdomains under github.com are in-scope except:
    • blog.github.com
    • community.github.com
    • email.enterprise.github.com
    • email.finance.github.com
    • email.staging.finance.github.com
    • email.support.github.com
    • email.verify.github.com
    • google7650dcf6146f04d8.github.com
    • k1._domainkey.github.com
    • k1._domainkey.mcmail.github.com
    • mcmail.github.com
    • resources.github.com
    • *.resources.github.com
    • sgmail.github.com
    • *.sgmail.github.com
    • shop.github.com
    • smtp.github.com
    • *.smtp.github.com

  • githubassets.com

    • This is our domain for hosting static assets. All subdomains under githubassets.com are in-scope.

  • githubusercontent.com

    • This is our domain for hosting and rendering users’ data. All subdomains under githubusercontent.com are in-scope.

  • githubapp.com

    • This is our domain for hosting employee-facing services. All subdomains under githubapp.com are in-scope except:
    • atom-io.githubapp.com
    • atom-io-staging.githubapp.com
    • email.enterprise-staging.githubapp.com
    • email.haystack.githubapp.com
    • reply.githubapp.com

  • githubwebhooks.net

    • This is our domain for receiving webhooks for employee-facing services. All subdomains under githubwebhooks.net are in-scope.

  • github.net

    • This is our domain for hosting GitHub’s internal production services. Many of these services are not accessible from outside our internal network. All subdomains under github.net are in-scope.

  • npmjs.com

    • This is the domain for npm’s public-facing websites. All subdomains under npmjs.com are in-scope.

  • npmjs.org

    • This is the domain for npm’s registry, public-facing databases, and APIs. All subdomains under npmjs.org are in-scope.

  • GitHub CLI

    • GitHub CLI is an open source command line tool for working with your GitHub.com account.

  • GitHub Desktop

    • GitHub Desktop is an open-source Electron-based app for working with your GitHub.com or GitHub Enterprise account.

  • GitHub Mobile

    • GitHub Mobile is an app to bring GitHub collaboration tools to your small screens.

  • GitHub Enterprise Server

    • GitHub Enterprise Server is the on-premise version of GitHub Enterprise.

  • GitHub Enterprise Cloud

    • GitHub Enterprise Cloud is the cloud-hosted version of GitHub Enterprise.