The Tor anonymity project has announced a public bug bounty program with HackerOne.
Used by everyone from political dissidents and human rights defenders to lawyers, researchers and privacy-minded every-day citizens to search the internet without being tracked, the “onion network” has had a private program with HackerOne in place since January 2016. That program proved successful: Hackers helped catch three crash/DoS bugs (two were out-of-bounds-read bugs and one was an infinite loop bug), and four edge-case memory corruption bugs.
Tor’s first public bug bounty, launched with support from the Open Technology Fund, will focus on flaws in Tor (the network daemon) and Tor Browser. Vulnerabilities that will be rewarded include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of crypto-material of relays or clients, and remote code execution. Tor plans to award up to $4,000 per report, depending on the impact and severity of the issue. Lower-tier bugs will garner $100-$500 for security-related problems that don’t put core users in danger (i.e., bugs in largely unused configurations); the top tier will pay out the maximum for things like exploits that remotely cause clients to de-anonymize themselves.
“Millions of people around the world depend on Tor to browse the internet privately and securely every day, so our security is critical,” said a Tor representative known as “gk,” in a post. “Bugs in our code pose one of the biggest threats to our users’ safety; they allow skilled attackers to bypass Tor’s protections and compromise the safety of Tor users.”
He added, “We’re constantly looking for flaws in our software and been fortunate to have a large community of hackers who help us identify and fix serious issues early on, but we think we can do even more to protect our users. That’s why if you can #HackTor and find bugs in our software, we want to reward you.”