GitHub Tightens Bug Bounty Rules Amid Flood of Incomplete Security Reports

San Francisco, CA — GitHub is overhauling its bug bounty program, imposing stricter submission criteria effective immediately, as the platform faces a surge in low-quality reports that threaten to overwhelm its security review process. The new rules require researchers to provide a working proof of concept with demonstrable security impact, verify findings before submission, and adhere strictly to program scope.

“We remain deeply committed to collaborating with the security research community, but the volume of incomplete and non-impactful submissions has grown significantly,” said a GitHub spokesperson. “To ensure the program remains effective and sustainable, we are raising the bar on what constitutes a complete submission.”

The Volume Problem

Over the past year, submission volume across the industry has exploded, driven in part by new AI tools that lower the barrier to entry. While more eyes on attack surfaces can uncover real vulnerabilities, GitHub reports a sharp rise in submissions lacking a proof of concept, describing only theoretical scenarios or citing findings already on the ineligible list. This trend, the company noted, has led some other programs to shut down entirely.

GitHub Tightens Bug Bounty Rules Amid Flood of Incomplete Security Reports — Source: github.blog

“AI is a force for good in security research, but it also generates noise that we must filter out,” the spokesperson added. “We don’t want to close our program. We want to invest in making it better.”

New Submission Criteria

Effective now, all reports will be evaluated against three core requirements:

Working proof of concept with demonstrated impact: Researchers must show concrete exploitation, not just describe a potential vulnerability. Reports stating “this could lead to…” without proof will be considered incomplete.
Awareness of scope and ineligible findings: Submissions covering known ineligible categories (e.g., DMARC/SPF/DKIM configuration, user enumeration, missing security headers without an attack path) will be closed as “Not Applicable,” potentially affecting the researcher’s HackerOne Signal and reputation.
Validation before submission: Regardless of the tools used (scanners, static analysis, AI assistants), every finding must be manually validated. A false positive caught before submission saves time; one that isn’t is simply noise.

Background

GitHub’s bug bounty program has long been a cornerstone of its security strategy, relying on external researchers to help protect the platform’s over 180 million developers. Launched years ago, the program offers rewards for valid vulnerabilities and has been widely praised for its collaborative approach. However, like many industry programs, it has struggled with an influx of low-quality reports as automated tools and AI assistants make it easier for newcomers to submit findings without proper vetting. Some programs have responded by shutting down or dramatically reducing scope, a path GitHub explicitly rejects.

What This Means

For security researchers, the changes signal a shift toward quality over quantity. Thorough, well-validated reports will continue to earn rewards, but cursory scans or AI-generated outputs without manual verification will be quickly dismissed. Researchers risk damaging their HackerOne standing if they repeatedly submit out-of-scope or unsubstantiated claims. For GitHub, the tighter criteria aim to preserve the program’s viability and focus internal resources on genuine vulnerabilities. The company emphasizes that AI tools remain welcome in research, but they must be used responsibly. Ultimately, the update reinforces a broader industry trend: as bug bounty programs mature, submissions must carry real evidence and demonstrate tangible risk.

Tags:

GitHub Tightens Bug Bounty Rules Amid Flood of Incomplete Security Reports

The Volume Problem

New Submission Criteria

Background

What This Means

Related Articles

Recommended

Discover More