Tor Project Fights Back with Bug Bounty Promise

Written by

Non-profit the Tor Project is set to offer a bug bounty program this year designed to encourage researchers to find vulnerabilities in the internet anonymization platform.

The news was revealed during a “State of the Onion” presentation by several key Tor Project members at last week’s Chaos Communication Congress in Hamburg.

Tor browser lead developer, Mike Perry, claimed during the presentation that the program would begin life as “invite only” and cover vulnerabilities specific to Tor applications.

“We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved,” Tor Project co-founder Nick Mathewson told Motherboard.

“This program will encourage people to look at our code, find flaws in it, and help us to improve it.”

The bug bounty will be run by HackerOne—a platform designed specifically to streamline and co-ordinate such programs.

The money will apparently be put up by the Open Technology Fund; a community of experts which use funds to support internet freedom projects around the world.

The news comes after a year in which the Tor Project was involved in a war of words with Carnegie Mellon university after accusing researchers there of accepting $1 million from the FBI to research holes in the platform.

The university hit back at “inaccurate media reports” in a statement which seemed to imply it had been subpoenaed, rather than paid.

A six-month attack on the Tor network which began in January 2015 was made public by the Tor Project in July the same year.

It claimed that an unidentified party had joined the network in the form of a group of relays, and then set about “modifying Tor protocol headers to do traffic confirmation attacks.”

The FBI was accused of getting Carnegie Mellon to effectively do its dirty work—bypassing legal safeguards preventing federal officers from engaging in this kind of activity without a court order or specific target in mind.

Photo © auremar

What’s hot on Infosecurity Magazine?