Breaking: GitHub Overhauls Bug Bounty Program, Cuts Cash Rewards for Low-Severity Reports
GitHub has announced a major shift in its bug bounty program, replacing cash payouts with swag for low-impact security reports and calling on researchers to stop submitting low-quality or out-of-scope findings. The move comes as the platform experiences a surge in submissions, many generated by AI tools that fail to demonstrate real security threats.
According to Jarom Brown, a senior security researcher at GitHub, "Not every valid submission represents a meaningful security risk. Some reports identify hardening opportunities or documentation gaps." Brown emphasized that the company still values researcher contributions but needs to focus on genuine vulnerabilities.
Background
GitHub’s bug bounty program has long offered cash rewards for security flaws found on its platform. Over the past year, the volume of submissions has skyrocketed, driven by new generative AI tools that can automate the search for weak points.
Brown explained that many reports describe out-of-scope scenarios where a user interacts with malicious content. "These reports are often well-written and technically accurate, but they misunderstand where the security boundary lies," he wrote in a blog post. When an attack requires the victim to actively engage with attacker-controlled content, it does not represent a bypass of GitHub’s controls.
The company now asks researchers to avoid submissions about issues that are not GitHub’s fault. This includes reports lacking a proof of concept, theoretical attacks that don’t hold up, and those already listed as ineligible for rewards.
What This Means
Researchers will now receive only swag—merchandise like stickers and t-shirts—for low-severity reports. High-impact vulnerabilities still qualify for cash bounties, but the bar for what constitutes a real threat has been raised.
Brown made clear that GitHub welcomes AI tools in security research: "AI is a force multiplier, and we expect it to play an increasing role in security research." However, all AI-generated submissions must be reviewed and validated by a human beforehand. This rule applies to any tool used in bug hunting.
GitHub is not alone in struggling with AI-generated noise. Industry analysts note that security vendors, open-source maintainers, and bug bounty platforms are increasingly complaining about low-quality automated reports. Open-source project Curl has eliminated its bug bounty due to "AI slop," and HackerOne paused payouts for certain categories last year.
For researchers, the takeaway is clear: focus on high-impact, verified vulnerabilities. GitHub’s move aims to streamline its triage process and ensure that legitimate threats get prompt attention, while reducing wasted effort on noise.