Hello hackers! Here are our February bug bounty stats!
🐛 200 bounty reports submitted
👩💻 144 hackers participated in our program
💰 Awarded $48,589 in bounties
Found a vulnerability? Submit it here:
https://t.co/HG2AqybW0p
We wrapped up 2025 on a high note—here are the bug bounty stats for December!
✅ 151 bounty reports submitted
👥110 hackers participated in our program
💰Awarded $48,367 in bounties
Found a vulnerability? Submit it here: https://bounty.github.com.
Learn why some vulnerabilities resist to fuzzing and persist in long-enrolled OSS-Fuzz projects, and how you can find them!
In just 17 minutes, 📌 Jaroslav Lobačevski shares his knowledge about securing GitHub Actions, drawing from hands-on experience uncovering hundreds of real-world vulnerabilities.
Topics include:
• Best practices of using third party actions
• The security model of GitHub Actions: tokens and permissions, jobs isolation and secrets
• pull_request vs pull_request_target
• Common pitfalls that lead to Remote Code Execution (RCE): interpolation and environment injections, cache poisoning
• …and more
The talk wraps up with FREE tools to automate GitHub Actions security you can start using TODAY.
GitHub Security Lab discovered a critical vulnerability in WooCommerce. We’d like to thank WooCommerce/Automattic for their incredibly quick response and fix of the vulnerability.
“A critical vulnerability was discovered in WooCommerce (versions 8.1 to 10.4.2) that, if exploited, could allow logged-in customers to access order details belonging to guest customers.”
If you are using WooCommerce, please update. For more info see WooCommerce’s blog post:
https://developer.woocommerce.com/2025/12/22/store-api-vulnerability-patched-in-woocommerce-8-1/
