The Tor Project announced today the launch of a public bug bounty program to encourage security researchers to privately report issues they find in the group’s software. Unlike its previous invite-only bounty program launched last year, this bounty program will be open to all bounty hunters through HackerOne.
HackerOne will manage the bounty program, with initial funding support coming from the Open Technology Fund, a U.S. government-backed organization that promotes free speech, the circumvention of censorship, and works against repressive surveillance.
The highest payout for bugs will $4,000, which HackerOne cofounder Alex Rice said is competitive with most organizations – however falls short of big dollar-figure bounty payouts by Google, Apple and Microsoft.
“What makes this unique is that Tor doesn’t have a huge bankroll, it’s largely a community funded project,” Rice said. “If you are a financial services firm or a social network posting bounties, you are pretty much attracting users by the bounty amount. When you turn to a community like Tor, it’s about so many things that are fundamentally important to security researchers. It’s a pretty huge group of people coming forward wanting to contribute research first. It’s not just about the bounty amount.”
During the past 18 months, since Tor Project launched its private bounty program, researchers helped identify three DoS bugs and four edge-case memory corruption bugs, according to Tor. However, one serious zero-day vulnerability reported last November was not found through the bounty program. That bug was in Firefox’s SVG animation feature.
Not much is changing with the introduction of public bounty program beside lifting the invite-only requirement, Rice said. “Tor is following the typical path of a bounty program. They are now comfortable with their bounty fee structure, have a development team in place to handle bug reports, and are confident they haven’t missed anything huge,” he said.
Rice said that the categories of vulnerabilities that the Tor project is focused on are those that comprise the fundamental privacy mission of Tor, which is making sure individuals can remain anonymous online.
“There are very few pieces of technology that we depend upon where security vulnerabilities in them actually have real potential for human lives and livelihoods to be destroyed,” Rice said.
“Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks,” wrote Tor Project in its announcement of the public bounty program.
