Bug bounty programs, for the most part, have been the domain of large software vendors and Web companies such as Google, Mozilla, Microsoft, PayPal and Facebook. But some smaller companies are now getting involved, with the latest one to announce a bounty being Wickr, the maker of secure messaging apps for Android and iOS, and the potential payoff is huge: up to $100,000.
Wickr’s bug bounty program is quite similar to the one announced last year by Microsoft. That program offers hackers up to $100,000 for new offensive techniques that can defeat the memory protections in the latest version of Windows. The Microsoft bug bounty program also offers $50,000 to researchers who develop a defensive technique that can stop an existing mitigation bypass.
Wickr is doing something similar, enticing hackers with a payment of up to $100,000 for submitting a new vulnerability “that substantially affects the conﬁdentiality or integrity of user data.” The company also is offering additional cash for a defensive technique, submitted at the same time, that can protect against the new vulnerability. Wickr makes a text messaging app for both Android and iOS that is designed to be secure and protect users’ privacy by shredding deleted files on users’ devices.
“The Wickr Bug Bounty Program is designed to encourage responsible security research in Wickr software. It is impossible to overstate the importance of the role the security research community plays in securing modern software. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their research speeds the pace of advancing security to the beneﬁt of all. With this program and partnership, we pledge to drive constant improvement relating to the security interests of our users, with the goal of keeping Wickr the most trusted messaging platform in the world,” Robert Statica, co-founder of Wickr, wrote in a blog post announcing the bug bounty program.
Bug bounties have been quite successful for a number of the companies who have established them in recent years, with Google and others attributing the contributions of external researchers to the improved security of their products. In October, Microsoft paid its first bounty to researcher James Forshaw, and the company also recently extended its system to include incident response teams and forensics investigators.
Wickr’s program requires that researchers submit their vulnerabilities privately to the company and not publicly disclose them within three months of the submission. It’s open to anyone, of any age, who isn’t a resident of a country that’s on the United States embargo list, and the rewards will range form $10,000 to $100,000.
Image from Flickr photos of Pascal.