HackerOne offers a portal and a platform for disclosing bugs and managing the rewards process. “We spent a lot of time considering the best way for us to manage a vulnerability reporting program, including evaluating several crowd-sourced solutions,” said CloudFlare researcher Jamie Tomasello, in a blog. “We chose to partner with HackerOne to power this program because not only have they streamlined the disclosure process, but we also agree with their vulnerability disclosure philosophy. They have also partnered with Nginx, PHP, Yahoo, OpenSSL and a range of security-minded companies.”
Speaking of rewards, HackerOne noted on its homepage that “showing gratitude to those who help keep your users secure is not only the right thing to do, it’s essential to building a more secure product. This gratitude could take many forms: a classic ‘thanks,’ some company schwag, or a bug bounty program.”
CloudFlare is embracing the first two, but no financial rewards are on offer.
“When we’ve fixed an eligible bug you have reported, we will recognize you publicly on our Hall of Fame page and reward you with a CloudFlare ‘Venator Errorum’ t-shirt,” Tomasello said. Successful reporters will also get 12 months of CloudFlare Pro or one month of CloudFlare business service for free.
The bug-hunter T-shirt is a limited edition shirt and will only be available to the exclusive group of vulnerability reporters who submit an accepted bug—not even CloudFlare employees will be given one without an eligible vulnerability submission, the company said.
The company is bullish on its efforts. “Previously, we did not have a dedicated external reporting channel for vulnerabilities,” said Tomasello. “We realized having a formal program would improve responsiveness to vulnerability reporters and provide more transparency to the researcher community.”