Twitter Launches Bug Bounty Program

Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability.

The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to access a pool of hundreds of researchers who perform authorized research against a company’s products. HackerOne is used by a number of prominent companies, including Square, Yahoo and CloudFlare and also is the platform that supports the Internet Bug Bounty.

Twitter’s bug bounty program will pay researchers for finding vulnerabilities in its main Web site and the Twitter apps for iOS and Android. The types of vulnerabilities that are in scope for the program include XSS, CSRF, remote code execution, unauthorized access to private tweets or direct messages.

“Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities,” Twitter’s program rules say.

Bug bounties have become de rigeur for many large software and Web companies, including Facebook, Yahoo, Google and many others. Microsoft has its own version of a reward program, and even some individual developers have begun to offer rewards for security reports, as well.

Twitter’s reward program starts with a minimum bounty of $140 and doesn’t have a maximum payout. The company already has fixed several dozen bugs reported through the HackerOne platform, including one that involved cookies on a Twitter site not being marked as secure.

Suggested articles

EU’s Green Pass Vaccination ID Private Key Leaked

UPDATE: French & Polish authorities found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler, et al.

Grief Ransomware Targets NRA

Grief, a ransomware group with ties to Russia-based Evil Corp, claims to have stolen data from the gun-rights group and has posted files on its dark web site. 

WordPress Plugin Bug Lets Subscribers Wipe Sites

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.