[giovannibajo1]

The point is that you need an entry point of trust. So either you have been in many different signing parties and you happen to have a reasonable connection with the key, or they must give you a trust reference on the website, preferably through HTTPS. At which point, they can just publish the key on the website.

[jarrett]

Yes, that would definitely be a viable strategy. It's probably the easiest one, and it's what I would do. In general, using HTTPS for anything related to your bug bounty program is probably good hygiene.

Though even without that, I don't think you need to have been to a lot of key signing parties. The entry point of trust could very well be another organization--not GitHub, not someone at a key signing party. As long as the signature chain points back to an identity you can trust, you're good to go.