GitHub Tightens Bug Bounty Rules to Combat Flood of Low-Quality Submissions
GitHub is raising the bar for its bug bounty program, imposing stricter validation requirements after a surge in low-quality submissions threatened to overwhelm the system. The platform, which serves over 180 million developers, said it will now require working proof-of-concept exploits before any report is accepted. Ineligible findings will be closed as “Not Applicable,” potentially harming researchers’ HackerOne reputation.
“We’re seeing a sharp increase in submissions that don’t demonstrate real security impact,” a GitHub security spokesperson told reporters. “This isn’t unique to us—programs across the industry are grappling with the same challenge, and some have shut down entirely.” GitHub stressed it does not plan to end its program but instead aims to invest in making it more effective.
Background
GitHub’s bug bounty program has long relied on external researchers to find and fix vulnerabilities. Over the past year, however, submission volume has exploded—partly due to new AI tools that lower the barrier to entry. While more researchers mean more potential discoveries, many reports lack a proof of concept, describe theoretical attacks that can’t be replicated, or involve issues already listed as out of scope.
“More people exploring attack surfaces means more opportunities to find real issues, but it also generates noise,” the spokesperson explained. The company observed that some programs have shut down entirely under the weight of low-quality submissions, a fate GitHub wants to avoid.
What This Means
For security researchers, the changes are immediate and significant. Submissions must now include a working proof of concept that demonstrates concrete security impact—not just a theoretical risk. Reports will be evaluated more strictly against three criteria: demonstrated exploitation, awareness of scope and ineligible findings, and validation before submission.
Researchers using AI or automated scanners must manually verify their outputs before filing a report. “A false positive that’s been manually reviewed is caught before it wastes anyone’s time. One that hasn’t is just noise,” the spokesperson noted. GitHub explicitly supports the use of AI in security research, calling it “a force for good.”
Failure to comply could harm a researcher’s HackerOne Signal and reputation, as ineligible reports will be closed as “Not Applicable.” The new policy aims to reduce noise while ensuring legitimate vulnerabilities are still rewarded. GitHub emphasized that collaboration with external researchers remains a cornerstone of its security strategy.