GitHub Credentials

Synopsis

GitHub, Inc. uses a mix of our own physical infrastructure, cloud platforms and third-party services to keep everything running smoothly. Keeping credentials and access tokens secure for these resources is paramount to the security of our employees and users.

Please review our guidance for handling PII before investigating credentials allowing access to GitHub, Inc resources. The reward amount is based on the impact of the leaked credential which will be determined by the GitHub Security team.

Focus areas

• Credentials allowing access to cloud services, package managers and other resources used by GitHub, Inc employees
• Credentials accidentally made public in repositories which allow access to GitHub, Inc resources. This does not include credentials exposed by our users and credentials which do not allow access to GitHub, Inc resources.
• Credentials exposed by third-party services which allow access to GitHub, Inc resources

Ineligible submissions

Credentials which have been detected by GitHub’s Token Scanning feature

GitHub’s Token Scanning feature automatically detects credentials accidentally committed to repositories for a number of service providers. Credentials for GitHub, Inc resources that have already been found via this feature are ineligible for reward.