Tor launched a public bug bounty program to encourage the ethical hackers to find and disclose the security issues of Tor. As Tor is being used by the human rights defenders, lawyers, activists, and researchers throughout the world, the security issues can impact seriously on their privacy. These users rely on the Tor’s security and safety, hence the company is taking steps to keep their anonymity safe from surveillance, tracing and attacks by expert hackers.
The hackers are getting a chance to earn by finding and exposing security bugs which are considered to be critical for the privacy of the users. Tor will pay according to the severity of the security issues. The high, severity and low severity finders will be paid $2000-$4000, $500-$2000 and $100-$500 respectively.
The hackers who find and submit vulnerabilities which are too low to categorize even in the low severity, Tor will send stickers or a T-shirt and even mention their names in the greet list.
Tor has joined hands with HackerOne to start this Tor bug bounty program. HackerOne is a bug bounty platform that helps major companies and organizations to surface their critical issues. HackersOne is handling bug bounty programs for Twitter, Yahoo, Slack, Dropbox, Uber, and US department of defense. The headquarter of HackerOne is located in San Francisco.
“With support from the Open Technology Fund, we’re launching our first public bug bounty with HackerOne. We’re specifically looking for your help to find bugs in Tor (the network daemon) and Tor Browser. A few of the vulnerabilities we’re looking for include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of the crypto material of relays or clients, and remote code execution. In January 2016, we launched a private bug bounty; hackers helped us catch 3 crash/DoS bugs (2 OOB-read bugs + 1 infinite loop bug) and 4 edge-case memory corruption bugs” Tor Project blog.
The interested hackers can sign up at HackerOne to create an account and submit their findings about Tor. Before proceeding, it is recommended to read complete guidelines, details, terms & conditions at HackerOne.
For more official announcements, stay tuned to Digital Riser.