Strengthening Security: Bug Bounty and GitHub Secret Scanning

Today, MongoDB is announcing two important updates that further strengthen its security posture:

1. The free tier of MongoDB Atlas is now included in the company’s public bug bounty program.

2. MongoDB has joined the GitHub secret scanning program.

These updates empower MongoDB to identify and remediate security risks earlier in the development lifecycle. MongoDB has long been committed to proactively tackling security challenges, so the decision to open MongoDB Atlas to responsible testing by the security researcher community was an easy one. Its collaboration with GitHub further strengthens this approach by enabling the detection and validation of exposed MongoDB-specific credentials. Together, these efforts help protect customer data and support secure application development at scale.

Expanding MongoDB’s bug bounty program to include MongoDB Atlas

The free tier of MongoDB Atlas is now a part of the company’s public bug bounty program. This fully managed, multi-cloud database powers mission-critical workloads for thousands of customers, ranging from large enterprises to small startups and individual developers. MongoDB’s bug bounty program has already paid out over $140,000 in bounties to security researchers and has resolved over 130 bug reports. Integrating Atlas into the bug bounty program is the next step in hardening the database’s security posture, enabling earlier discovery and remediation of potential risks.

The cyberthreat landscape is evolving faster than ever. Where organizations once faced a narrower set of risks, today’s threats are more diverse and sophisticated. These include emerging risks like generative AI misuse and supply chain compromises, alongside persistent threats such as phishing, software vulnerabilities, and insider attacks.

One proven way to stay ahead of these threats is by working with the security research community through bug bounty programs. Researchers can help identify and report vulnerabilities early, enabling organizations to fix issues before attackers exploit them. Security researchers are expanding their expertise to address new attack vectors, according to HackerOne. In fact, 56% now specialize in API vulnerabilities and 10% focus on AI and large language models.¹

With MongoDB Atlas now included in the company’s bug bounty program, customers can expect:

• Continuous, real-world testing by a diverse security research community.

• Systems designed for faster detection of vulnerabilities than traditional penetration testing.

• Stronger confidence in MongoDB’s ability to safeguard sensitive data.

By bringing MongoDB Atlas into its bug bounty program, MongoDB is doubling down on transparency, collaboration, and proactive defense. This is a critical step in reinforcing customer trust and ensuring MongoDB Atlas remains secure as threats evolve.

Partnering with GitHub to detect credential leaks faster

Building on its commitment to proactive threat detection, MongoDB has also joined GitHub’s secret scanning partner program to better protect customers from credential exposure. This program enables service providers like MongoDB to include their custom secret token formats in GitHub’s secret scanning functionality. This capability actively scans repositories to detect accidental commits of secrets such as API keys, credentials, and other sensitive data.

Through this partnership, when GitHub detects a match of MongoDB Atlas–specific secrets, it will notify MongoDB. Then MongoDB can securely determine if the credential is active. As a result, MongoDB can rapidly identify and manage potential security risks.

Stolen credentials remain one of the
most common and damaging threats in cybersecurity. Stolen credentials have been involved in 31% of data breaches in the past decade, according to a Verizon report. Credential stuffing, where bad actors use stolen credentials to access unrelated services, is the most common attack type for web applications.² These breaches are particularly harmful, taking an average of 292 days to detect and contain.³

By participating in GitHub’s secret scanning program, MongoDB helps ensure that MongoDB Atlas customers benefit from:

• Faster detection and remediation of exposed credentials.

• Reduced risk of unauthorized access or data leaks.

• More secure, developer-friendly workflows by default.

Staying ahead of evolving security threats

MongoDB is continuously evolving to help developers and enterprises stay ahead of security risks. By expanding its public bug bounty program to include MongoDB Atlas and by partnering with GitHub to detect exposed credentials in real time, MongoDB is deepening its investment in proactive, community-driven security.

These updates reflect a broader commitment to helping developers and organizations build secure applications, detect risks early, and respond quickly to new and emerging threats. Learn more about these programs:

• MongoDB’s bug bounty program on HackerOne

• GitHub’s secret scanning partner program

¹ Hacker-Powered Security Report, 8th Edition, HackerOne

² Verizon Data Breach Investigations Report, 2024

³ IBM Cost of a Data Breach Report, 2024

Source: Read More