GitHub Enterprise
Synopsis
GitHub Enterprise is the on-premises version of GitHub. GitHub Enterprise shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies.
GitHub Enterprise adds a number of features for enterprise infrastructures. This includes additional authentication backends and clustering options. Below is a subset of features unique to GitHub Enterprise that might be interesting to investigate.
- Instance-wide authentication (private mode)
- External authentication backends including CAS, LDAP, and SAML
- In-app administration of the instance using a site administrator control panel
- User, organization, and repository migration
- Web-based management console and SSH access to configure and update the instance
- Pre-receive hook scripts
Rewards range from $200 up to $10,000 and are determined at our discretion based on a number of factors. For example, a vulnerability in a service that is intended to be restricted from external access would have a lower reward than one within the core GitHub Enterprise web interface.
You can request a trial of GitHub Enterprise for security testing at https://enterprise.github.com/bounty.
Bounty scope
Resources and features provided by the latest patch release of each non-deprecated version of the GitHub Enterprise virtual machine. Major versions of GitHub Enterprise are deprecated one year after release. For more information see this list of releases.
All listening services hosted on a GitHub Enterprise instance. See our documentation for a reference of ports typically opened on a GitHub Enterprise instance.
Vulnerabilities present in GitHub Enterprise when subdomain isolation is disabled are not in scope.
Administrative SSH access grants
sudoto be used to escalate to root permissions. Given this existing level of privilege, local escalation of the administrative account to root permissions is not considered in scope.GitHub Enterprise uses code obfuscation to discourage the modification of the application. We are aware of de-obfuscation techniques that could be used to reveal source code or bypass license restrictions. These issues are not in scope for the bug bounty program.
Code de-obfuscation may be explored to further investigate GitHub Enterprise, but only for the purpose of the bounty program. Bounty hunters still need to abide by all of our other Bounty program rules and terms and the applicable software license terms.
enterprise.github.comis not in-scope for the Bug Bounty program at this time.
Recently collected GitHub Enterprise bounties:
| 1 |  |
10000 pts Markus Fenske GitHub Enterprise management console remote code execution |
| 2 |  |
7500 pts Orange Tsai GitHub Enterprise remote code execution via SSRF |
| 3 |  |
5000 pts Brian Soby, Freefly Security GitHub Enterprise SAML signature bypass |
| 4 |  |
5000 pts Ioannis Kakavas GitHub Enterprise SAML signature bypass |
| 5 | |
10000 pts Ioannis Kakavas GitHub Enterprise SAML authentication bypass |