HackerOne Offers Free Bounty Programs for Open Source

Popular bug-bounty platform HackerOne has announced that it is offering its services for free to open source projects.

In the wake of high-profile open-source flaws like Heartbleed and Poodle, there’s an awareness that most of the tools and technology that we use every day run on open-source platforms. With that in mind, the HackerOne Community Edition is being offered for free. It provides vulnerability submission, coordination, dupe detection, analytics and bounty programs; and simplifies how organizations define scope, receive vulnerability reports, manage those reports and incentivize security researchers to help harden their projects.

While open-source projects tend to be more secure by nature, no software is perfect—and with just one flaw, vast swaths of the internet backbone can be compromised.

“Our company, product, and approach is built-on, inspired by and driven by open source and a culture of collaborative software development,” HackerOne said, in a blog post. “As such, we want to give something back. Our primary focus at HackerOne is to help make the Internet safer. As part of this we know that open source underpins many products and services that we use every day, so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs.”

As part of the HackerOne Community Edition, the company will provide a full featured instance of HackerOne Professional to any eligible project; dedicated customer support isn’t included, but there’s a “wealth of documentation online,” the company noted.

All open-source projects are welcome to apply if they meet the following requirements: Project scope must only be open-source projects that are covered by an OSI license; the project must be active and at least three months old (age is defined by shipped releases/code contributions); projects must add a SECURITY.md in the root that provides details for how to submit vulnerabilities; projects will display a link to its HackerOne profile from either the primary or secondary navigation on your project's website; and projects must maintain an initial response to new reports of less than a week.

“As open-source has become an increasing component in how organizations consume technology, the workflow of how people build these projects is critical,” said Jono Bacon, previous director of community at Canonical, GitHub and XPRIZE. “I am delighted to see HackerOne provide a key component in this workflow in much the same way code hosting/review, continuous integration, containerization and other pieces have become staple pieces.”

Many open source projects such as Ruby, Rails, Discourse, Django, GitLab, Brave and Sentry already are using HackerOne.

"Our HackerOne program has been a definite success for us—a new way to get actionable security reports that improve the security of the open source Discourse project for everyone,” said Jeff Atwood, co-founder of Discourse. “A public bounty program is an essential element of the defense in depth philosophy that underpins all security efforts."

What’s Hot on Infosecurity Magazine?