The Tor Project is about to start a bug bounty program for the Tor browser – This means that those who find issues, bugs or vulnerabilities within the Tor browser will be paid for their efforts. Bug bounties are payments made by companies or organizations to researchers who find problems in their website or products, and who then report them. Both large and small companies are using this ”reward program” to ensure the security and the stability of their products. According to Tor, the program will start in January.
Tor made this announcement at the recurring ”State of the Onion” talk at the end of December 2015. The talk was part of the Chaos Communication Congress, an art, politics and security conference held annually in Hamburg, Germany. Nick Mathewson, co-founder, researcher, and chief architect of the Tor Project made this statement about their new program:
“We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved. This program will encourage people to look at our code, find flaws in it, and help us to improve it.”
Bug bounties can help companies to improve their software, however, these programs could also be dangerous, especially in Tor Project’s case. There is a possibility that the researchers would not report the found vulnerabilities to the affected company, instead, they sell the information to other firms or governments for a good price.
The rewards paid for the bounties are ranging from a few hundred dollars to tens of thousands. According to Facebook’s 2014 statistics, the company paid a total of $1.3 million in bounties during the year.
“We have a sponsor, OTF [Open Technology Fund], who is paying HackerOne, a company that specializes in this, to help us do it,” Roger Dingledine, co-founder and research director of the Tor Project, told the media.
HackerOne is a platform for connecting tech researchers, who discover vulnerabilities, bugs and other issues, and the companies affected by them. HackerOne raised $25 million in private funding in 2015.
According to Mike Perry, lead developer of the Tor Browser, the bug bounty program will start out as invite only.