The Trust Center lists a gated Bug Bounty DLOE (Delivered Letter of Engagement or similar attestation) document covering April through June 2025, available only via an access request.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The availability of a bug bounty program attestation document indicates GitHub maintains a formal vulnerability disclosure and reward program for Copilot-related infrastructure, which is relevant to enterprise security assessments and software supply chain security evaluations.
Interpretive note: The acronym DLOE is not defined in the visible document text; its precise meaning and the nature of the attestation it represents cannot be confirmed from the document alone.
This provision discloses the existence of a GitHub bug bounty program and an associated attestation document covering April through June 2025; the document is access-gated and requires a formal request to obtain.
How other platforms handle this
Model cards should describe: Intended uses and out-of-scope uses. Potential biases and limitations. How the model was trained, including the training data and evaluation. Model architecture and parameters.
Political ads must comply with all applicable campaign and election laws for any location they target, including laws relating to political advertising disclaimers. Advertisers must have the required authorizations.
You must clearly state the following (or a substantially similar statement) on your site: '[Insert your name] is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to ...
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"GitHub.Bug.Bounty.DLOE.Apr.-.June.2025.pdf [lock icon, access-gated]— Excerpt from GitHub's GitHub Copilot Business Privacy Statement
(1) REGULATORY LANDSCAPE: Bug bounty and vulnerability disclosure programs are referenced in frameworks such as NIST CSF, ISO 27001, and EU NIS2 Directive requirements for coordinated vulnerability disclosure. The EU NIS2 Directive, applicable to entities providing digital infrastructure, includes expectations around vulnerability handling. Enforcement in the EU is conducted by member state cybersecurity authorities designated under NIS2. (2) GOVERNANCE EXPOSURE: Low. Bug bounty program disclosure is a standard security transparency practice. The gated nature of the attestation document does not itself create compliance exposure. (3) JURISDICTION FLAGS: EU/EEA organizations subject to NIS2 may require evidence of vulnerability disclosure practices from critical vendors. Organizations in regulated sectors such as financial services may have specific vendor security assessment requirements that reference bug bounty programs. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams conducting software supply chain security assessments should request the bug bounty attestation document and review its scope. B2B security addenda may benefit from referencing GitHub's vulnerability disclosure program commitments. (5) COMPLIANCE CONSIDERATIONS: Legal and security teams should request the bug bounty attestation document through the portal and evaluate whether the program scope and coverage period align with the organization's vendor security requirements. The attestation period noted is April through June 2025; teams should confirm whether more current documentation is available.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The availability of a bug bounty program attestation document indicates GitHub maintains a formal vulnerability disclosure and reward program for Copilot-related infrastructure, which is relevant to enterprise security assessments and software supply chain security evaluations.
This provision discloses the existence of a GitHub bug bounty program and an associated attestation document covering April through June 2025; the document is access-gated and requires a formal request to obtain.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.