Tor to Launch Bug Bounty Program in 2016

2016-01-04T11:45:00
ID TOR-PROJECT-TO-LAUNCH-BUG-BOUNTY-PROGRAM/115759
Type threatpost
Reporter Chris Brook
Modified 2016-01-07T16:50:47

Description

The Tor Project announced last week that it will launch a bug bounty program later this year to encourage security researchers to responsibly report issues they find in the software.

Tor Browser and Tor Performance Developer Mike Perry announced the news during the “State of the Onion” address last week at the Chaos Communication Congress conference in Hamburg, Germany alongside Tor’s Roger Dingledine and Jacob Appelbaum.

The group plans to partner with HackerOne on exploit bounties, Perry said. While the program will start out as invite-only, Tor plans on opening to the public later in the year “after they get used to the flow, and scale it up” to “provide people with incentive to review our code, to look for vulnerabilities that may be specific to our applications,” Perry said.

According to Motherboard, which spoke last week with Nick Mathewson, one of the Tor Project’s founders, the group has always appreciated those who look over Tor’s code, but it got to the point where they had to get more eyes on it.

“We are grateful to the people who have looked at our code over the years, but the only way to continue to improve is to get more people involved… This program will encourage people to look at our code, find flaws in it, and help us to improve it,” Mathewson said.

Dingledine, who also helped co-found the Tor Project and acts as its research director, told the publication that the Open Technology Fund, a program that uses public funds to support Internet freedom projects, will act as a sponsor for Tor and pay HackerOne to facilitate the program.

HackerOne of course helps a handful of high profile companies oversee bug bounty programs — it already counts Yahoo, Dropbox, and Adobe among its clients.

Officials with The Tor Project, in particular Dingledine, made headlines late last year by alleging that Carnegie Mellon University accepted $1 million from the FBI to unmask Tor users. CMU ultimately implied that it was subpoenaed for its research, which resulted in the discovery of a vulnerability – since patched – that was used in traffic confirmation attacks to unmask users.

Dingledine stressed during the “State of the Onion” talk that in the wake of that kerfuffle, Tor has been strengthening its network to better recognize attacks like the one CMU carried out. Dingledine said the group has been taking a more “aggressive” stance when it comes to keeping the network safe from large adversaries, whether they’re “government organizations, corporations, or individuals; whoever might be attacking it.”