GitHub Tightens Bug Bounty Rules to Combat Flood of Low-Quality Submissions
GitHub is raising the bar for its bug bounty program, imposing stricter validation requirements after a surge in low-quality submissions threatened to overwhelm the system. The platform, which serves over 180 million developers, said it will now require working proof-of-concept exploits before any report is accepted. Ineligible findings will be closed as “Not Applicable,” potentially harming researchers’ HackerOne reputation.
“We’re seeing a sharp increase in submissions that don’t demonstrate real security impact,” a GitHub security spokesperson told reporters. “This isn’t unique to us—programs across the industry are grappling with the same challenge, and some have shut down entirely.” GitHub stressed it does not plan to end its program but instead aims to invest in making it more effective.
Background
GitHub’s bug bounty program has long relied on external researchers to find and fix vulnerabilities. Over the past year, however, submission volume has exploded—partly due to new AI tools that lower the barrier to entry. While more researchers mean more potential discoveries, many reports lack a proof of concept, describe theoretical attacks that can’t be replicated, or involve issues already listed as out of scope.

“More people exploring attack surfaces means more opportunities to find real issues, but it also generates noise,” the spokesperson explained. The company observed that some programs have shut down entirely under the weight of low-quality submissions, a fate GitHub wants to avoid.
What This Means
For security researchers, the changes are immediate and significant. Submissions must now include a working proof of concept that demonstrates concrete security impact—not just a theoretical risk. Reports will be evaluated more strictly against three criteria: demonstrated exploitation, awareness of scope and ineligible findings, and validation before submission.

Researchers using AI or automated scanners must manually verify their outputs before filing a report. “A false positive that’s been manually reviewed is caught before it wastes anyone’s time. One that hasn’t is just noise,” the spokesperson noted. GitHub explicitly supports the use of AI in security research, calling it “a force for good.”
Failure to comply could harm a researcher’s HackerOne Signal and reputation, as ineligible reports will be closed as “Not Applicable.” The new policy aims to reduce noise while ensuring legitimate vulnerabilities are still rewarded. GitHub emphasized that collaboration with external researchers remains a cornerstone of its security strategy.
Further reading
Related Articles
- Defending iOS Devices Against the DarkSword Exploit Chain: A Step-by-Step Security Guide
- Kubernetes v1.36 Sounds Death Knell for Service ExternalIPs: Security Risks Force Deprecation
- How to Steer a Mobile Device Management Firm Through the AI Revolution: Lessons from Jamf's CEO Transition
- 10 Essential Updates for .NET and .NET Framework in May 2026
- Brazilian DDoS Mitigation Firm Hacked; Botnet Used to Attack Rival ISPs
- Massive Healthcare Data Breaches Expose Millions of Patient Records, HHS Tracker Shows
- Germany Returns as Prime Target: Behind the Surge in European Data Leaks
- 10 Critical Details About the 7-Eleven Data Breach and ShinyHunters Ransom Demand