From Curiosity to Impact: How Hackers Help Keep GitHub Secure 🛡️

[ghostinhershell]

When you think of hacking, you might picture something out of a movie:

In reality, many hackers use their skills to protect systems and help companies stay secure. This is where bug bounty programs come in. They reward security researchers who find and responsibly report vulnerabilities, helping keep platforms like GitHub safe for everyone.

Whether you’re brand new to GitHub or already contributing to projects, learning how security fits into the picture is an important step in your journey. You don’t need to be a security expert to start exploring this world, you just need curiosity and a willingness to learn.

A few months back we spoke with Shilpa Kumari (@shilpakum), a Senior Product Security Engineer on GitHub’s Bug Bounty team, to get a behind-the-scenes look at how the program works and how hackers are making a positive impact.

If you’ve ever wondered:

• What exactly is a bug bounty program?
• How do security researchers work with companies like GitHub?
• Can someone new to tech get involved or learn from these programs?

…this interview is a great place to start.

👉 Read the interview here: Hacking for Good: A Behind-the-Scenes Look at GitHub’s Bug Bounty Program 👩🏾‍💻

---

After reading, share your thoughts below:

• What surprised you most about how the program works?
• What role do you think security should play in the open source community?

[ghostinhershell]

What surprised you most about how the program works?

This isn't something that surprised me about how the program itself worked BUT this quote from Shilpa did surprise me:

“(A common misconception about bug bounty programs is that you) need to be a hacking expert to start” Many new researchers assume this, but from what I’ve seen, plenty of successful hunters begin with just a basic grasp of web security and build their skills over time.

I always somewhat assumed that folks who participate in programs like the bug bounty program are experts and highly experienced. It goes to show that, if this is something that you're interested in participating in, the only thing stopping you is your ability to just start somewhere.

What role do you think security should play in the open source community?

I’m a big believer in “secure by default.” If we set things up so secure choices are the easy, obvious choices, it helps everyone, maintainers, contributors, and users, start from a safer place without extra steps.

As a community manager here at GitHub, that means weaving security into the everyday: sharing quick tips on safe contributions, making sure sensitive info isn’t posted in public threads, and connecting reports to the right folks fast. Little habits like these add up to a culture where security is just part of how we work together.

Alright Community, I'm excited to hear your thoughts as well!

[Julian-Dumitrascu]

I appreciate it that you start conversations and help build them.
I like it that Shilpa supports security by default. (It reminds me of the fact that I put safety first.)
Why is it that you could mention her and I can't?
I find it useful that you've given examples of actions that we can take in order for us maybe soon hundreds of millions of people to use GitHub safely together.