The Tencent Security Response Center (TSRC) is launching an expanded bug-bounty program, via the HackerOne white-hat platform – and the company has increased its top reward to $15,000.
Tencent, a China-based global internet service provider, is opening up its existing bug-bounty program to HackerOne’s community of 600,000+ bug hunters, to widen the company’s vulnerability reporting and technical sharing efforts, it said in a launch notice on Tuesday. Tencent will also pay out its bounty payments via HackerOne’s platform from now on.
The top award in the program is now $15,000 for “quality reports on eligible valid vulnerabilities” that are critical-rated, according to the program details – an increase from $5,000 previously. As for what’s eligible and valid, awards are available across Tencent’s products and services, as well on its carrier networks.
Attacks on ISP networks and services can take many forms. Tencent said that it’s mainly interested in bugs that enable: cross-site scripting (XSS); cross-site request forgery (CSRF); server-side request forgery (SSRF); SQL injection; remote code execution (RCE); XML external entity attacks (XXE); access control issues (insecure direct object reference issues, etc.); exposed administrative panels; directory traversal issues; local file disclosure (LFD); and data leakage/data breach/information disclosure issues.
“Any design or implementation issue that is reproducible and substantially affects the security of Tencent users is likely to be in scope for the program,” according to TSRC.
Below is a general chart of what’s in-scope:
“Online security for our products and platforms is a top priority for Tencent,” said Juju Zhu, COO of TSRC, in a media statement. “While we develop and deploy advanced technologies to safeguard our platforms, we also collaborate with professional white hackers’ networks to help us enhance our security protection for our products and our users. We are the first company in China to set up a Security Response Center, and now by partnering with Hacker One, we expect to receive constructive research results from a larger, global community of security experts.”
According to HackerOne platform data in the 2019 Hacker-Powered Security Report, bug-bounty programs in the Asia-Pacific region have increased by 30 percent in 2019, thanks to new programs from Singapore’s Ministry of Defence (MINDEF) and Singapore’s Government Technology Agency (GovTech), Toyota, Nintendo, Grab, Alibaba, LINE, OPPO, OnePlus and others.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.