GitHub's Bug Bounty program rewards researchers for discovering security vulnerabilities in a number of repositories. The full list of projects that are eligible for rewards are available on our Bug Bounty site.
If the repository is eligible for rewards, you can submit a report via HackerOne. You can find more useful information in our rules and FAQ.
For repositories not covered by the Bug Bounty program, please open an issue.