As we wrap Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to spotlight another top performing security researcher who participates in the GitHub Security Bug Bounty Program, André Storfjord Kristiansen!

GitHub is dedicated to maintaining the security and reliability of the code that powers millions of development projects every day. GitHub’s Bug Bounty Program is a cornerstone of our commitment to securing both our platform and the broader software ecosystem.

With the rapid growth of AI-powered features like GitHub Copilot, GitHub Copilot coding agent, GitHub Spark, and more, our focus on security is stronger than ever—especially as we pioneer new ways to assist developers with intelligent coding. Collaboration with skilled security researchers remains essential, helping us identify and resolve vulnerabilities across both traditional and emerging technologies.

We have also been closely auditing the researchers participating in our public program—to identify those who consistently demonstrate expertise and impact—and inviting them to our exclusive VIP bounty program. VIP researchers get direct access to:

• Early previews of beta products and features before public launch
• Dedicated engagement with GitHub Bug Bounty staff and the engineers behind the features they’re testing 😄
• Unique Hacktocat swag—including this year’s brand new collection!

Explore this blog post to learn more about our VIP program and discover how you can earn an invitation!

As part of ongoing Cybersecurity Awareness Month celebration this October, we’re spotlighting another outstanding researcher from our Bug Bounty program and exploring their unique methodology, techniques, and experiences hacking on GitHub. @dev-bio is particularly skilled in identifying injection-related vulnerabilities and has discovered some of the most subtle and impactful issues in our ecosystem. They are also known for providing thorough, detailed reports that greatly assist with impact assessments and enable us to take quicker, more effective action.

How did you get involved with Bug Bounty? What has kept you coming back to it?

I got involved with the program quite coincidentally while working on a personal project in my spare time. Given my background in (and passion for) software engineering, I’m always curious about how systems behave, especially when it comes to handling complex edge cases. That curiosity often leads me to pick apart new features or changes I encounter to see how they hold up—something that has taken me down fascinating rabbit holes and ultimately led to some findings with great impact.

What keeps me going is the thrill of showing how seemingly minor issues can have real-world impact. Taking something small and possibly overlooked, exploring its implications, and demonstrating how it could escalate into a serious vulnerability feels very rewarding.

What do you enjoy doing when you aren’t hacking?

Having recently become a father of two, much of my time outside of work revolves around being present with my family and striving to be the best version of myself for them. I also want to acknowledge that my partner—my favorite person and better half—has been incredibly supportive. Even if she has no clue what I’m doing during my late-night sessions, she gives me uninterrupted time to work on my side projects, for which I’m deeply grateful.

I’m from Norway, and one of the many benefits of living here is the easy access to incredible nature. We try to make the most of it together through hiking, camping, and cross-country skiing. Being out in the wilderness is a perfect way to disconnect, recharge, and gain perspective away from a busy world. We find that after time outdoors, one can come back more grounded, with a clear mind and renewed focus.

How do you keep up with and learn about vulnerability trends?

I stay up to date by reading write-ups from other researchers, which are an excellent way to see how others are approaching problems and what kinds of vulnerabilities are being uncovered. While this is important, one should also attempt to stay ahead of the curve, so I try to identify and dive into areas that are in need of further research.

Professionally, as a security engineer, my primary area of expertise is software supply chain security, an often-neglected but increasingly important field. I spend much of my time researching gaps and developing solutions to mitigate emerging threats. I’m also very lucky to work closely with some of the best talent in Norway.

What tools or workflows have been game-changers for your research? Are there any lesser-known utilities you recommend?

When doing research in my spare time, I prefer to write my own tools rather than relying solely on what you get off the shelf, as I find that it gives me a deeper understanding of the problem and helps me identify new areas that could be worth exploring in the future.

None of my personal security tooling has been published yet, but I plan to—eventually™—release a toolkit to build comprehensive offline graphs of GitHub organizations with an extensible query suite to quickly uncover common misconfigurations and hidden attack paths.

What are your favorite classes of bugs to research and why?

I’m particularly drawn to injection-related vulnerabilities, subtle logical flaws, and overlooked assumptions that may not seem important at first glance. Recently, I’ve been intrigued by novel techniques for bypassing even the strictest content security policies.

What I enjoy most is demonstrating how seemingly benign findings can be chained together into something with significant impact. These vulnerabilities often expose weaknesses in the underlying design rather than just surface-level issues. My passion for building resilient systems naturally shapes this approach, driving me to explore how small cracks can compromise a system’s overall integrity.

You’ve found some complex and significant bugs in your work. Can you talk a bit about your process?

The most significant discoveries I have made in my spare time have been coincidental and, in most cases, a side effect of being sidetracked by my own curiosity, rather than the result of a targeted approach with a rigid methodology.

I’ve always had an insatiable curiosity and fascination with how systems work under the hood, and I let that curiosity guide my process outside of work. When I notice something unusual, I dig deeper, peeling back the layers until I fully understand what’s happening. From there—if it’s worthwhile—I carefully document each step to map out potential attack paths and piece together a clear, comprehensive picture of the vulnerability, which enables me to build a strong foundation for further analysis and reporting.

Do you have any advice or recommended resources for researchers looking to get involved with Bug Bounty?

Don’t settle for a simple finding. Dig deeper and explore its implications. When you have a grasp of the bigger picture, seemingly benign issues could turn out to have substantial impact.

Do you have any social media platforms you’d like to share with our readers?

Currently I have a page, where I’ll be posting interesting content in the near future. I’m also on LinkedIn.

Thank you, @dev-bio, for participating in GitHub’s bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So, if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.

Written by