Synopsis

GitHub Enterprise Server is the on-premise version of GitHub Enterprise. GitHub Enterprise Server shares a code-base with GitHub.com, is built on Ruby on Rails and leverages a number of open source technologies. GitHub Enterprise Server adds a number of features for enterprise infrastructures, including additional authentication backends and clustering options.

You can request a trial of GitHub Enterprise Server for security testing at https://enterprise.github.com/bounty. Code de-obfuscation may be explored to further investigate GitHub Enterprise Server but only for the purpose of the bounty program.

Focus areas

• Bypassing instance-wide authentication, also known as private mode
• External authentication backends including CAS, LDAP, and SAML
• In-app administration of the instance using a site administrator control panel
• User, organization, and repository migration
• Web-based management console and SSH access to configure and update the instance
• Pre-receive hook scripts
• GitHub Connect allows users to share specific features and workflows between your GitHub Enterprise Server instance and a GitHub.com organization on GitHub Enterprise Cloud.
• See our documentation for a list of services typically open on an instance.

Out of scope

• https://enterprise.github.com/login is a separate management portal for GitHub Enterprise Server customers and is not in-scope at this time.
• Vulnerabilities not present in latest patch release of each non-deprecated version of GitHub Enterprise Server. Major versions of GitHub Enterprise Server are deprecated one year after release. For more information see this list of releases.

Ineligible submissions

Vulnerabilities caused by lack of subdomain isolation

Vulnerabilities present in GitHub Enterprise Server when subdomain isolation is disabled. GitHub recommends that all GitHub Enterprise Server installations should have subdomain isolation enabled.

Escalation to the root user via sudo

Administrative SSH access grants sudo to be used to escalate to root permissions. Given this existing level of privilege, local escalation of the administrative account to root permissions is not considered in scope.

Access to sensitive configuration information with local access

Access to the GitHub Enterprise Server appliance shell and its containers is expected to include access to sensitive information and credentials that are required to operate local services.

Bypassing source code de-obfuscation

GitHub Enterprise Server uses code obfuscation to discourage the modification of the application. We are aware of de-obfuscation techniques that could be used to reveal source code or bypass license restrictions.