One could argue that $30k is not enough for a CVSS score of 10 but I don’t know

update: even the article mentions $30k as conservative

> Though, even $30,000 might be conservative. "The upper bound for critical vulnerabilities is only a guideline, and GitHub may reward higher amounts for exceptional reports," GitHub says. Since this was a maximum severity security hole, the person who found it might have been paid very generously indeed. 

So maybe they were paid more

security

Critical Github enterprise Server Authentication bypass bug

Gian

> On the bright side, someone made up to $30,000+ for finding it

> GitHub has patched its Enterprise Server software to fix a security flaw that scored a 10 out of 10 CVSS severity score.

bug bounty working! 

