Twitter Gets on the Bug Bounty Train

With social media vulnerabilities an increasing vector for hackers and would-be spammers, phishers and the like, Twitter has joined the bug bounty party. The microblogging service has partnered with HackerOne to implement the program, which is effective for the website as well as mobile apps for Apple iOS and Google Android.

“Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues,” the company said in announcing the program.

Twitter said that it will provide rewards to eligible reporters of qualifying vulnerabilities that start at $140—no upper limit was given, because, it said, “there is no maximum reward.” The payments seem to be somewhat arbitrary in that reward amounts will vary “depending upon the severity of the vulnerability reported” and “Twitter’s discretion.” All reports will be reviewed on a case-by-case basis.

The program is however unlimited—there’s no end date or cap for rooting out flaws.

To be eligible, the bounty hunter must be the first reporter of a vulnerability; Twitter said that it’s interested in “any design or implementation issue that is reproducible and substantially affects the security of Twitter users.” Examples include cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE), unauthorized access to protected tweets and unauthorized access to DMs.

Spam reports, social engineering, automated tools and scan reports, issues affecting outdated browsers or platforms and physical attempts against Twitter property or data centers are all ineligible.

Program participants will be able to report a qualifying vulnerability through the HackerOne reporting tool, and are asked not to publicly disclose the vulnerability prior to the company’s resolution of the issue.

Also, “if you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy,” it said. “Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Twitter users (spam, denial of service), or sending reports from automated tools without verifying them.”

What’s Hot on Infosecurity Magazine?