Github has previously listed the name of those who report vulnerabilities in the 'Hall of fame' page, now offers bounty amount starting from $100 to $5,000.
The exact bounty amount for each vulnerability is determined by GitHub based on actual risk and potential impact to their users.
Let us say, you find a non-persistent XSS vulnerability which only work in Opera browser(affects only 2% of its users) will get small bounty. If you managed to find a Persistent(stored) XSS that will work in Chrome(affects 60% of its users), it will earn you larger reward.
The bounty program currently covers the GitHub API, GitHub Gist and GitHub.com. GitHub says its other applications are not part of the open bounty, but researchers may receive a bounty at its discretion.
So far, two researchers have received 1000 points for reporting 'Broken Authentication or Session Management' and 'Missing Function Level Access Control'