Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability.
The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to access a pool of hundreds of researchers who perform authorized research against a company’s products. HackerOne is used by a number of prominent companies, including Square, Yahoo and CloudFlare and also is the platform that supports the Internet Bug Bounty.
Twitter’s bug bounty program will pay researchers for finding vulnerabilities in its main Web site and the Twitter apps for iOS and Android. The types of vulnerabilities that are in scope for the program include XSS, CSRF, remote code execution, unauthorized access to private tweets or direct messages.
“Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities,” Twitter’s program rules say.
Bug bounties have become de rigeur for many large software and Web companies, including Facebook, Yahoo, Google and many others. Microsoft has its own version of a reward program, and even some individual developers have begun to offer rewards for security reports, as well.
Twitter’s reward program starts with a minimum bounty of $140 and doesn’t have a maximum payout. The company already has fixed several dozen bugs reported through the HackerOne platform, including one that involved cookies on a Twitter site not being marked as secure.