There is some excellent news for researchers and white hat hackers out there. On Thursday the popular anonymity network Tor project launched its public bug bounty program. This program will help researchers earn thousands of dollars since up to $4000 are being offered for finding out vulnerabilities.
The program has been launched on the HackerOne platform with the support of Open Technology Fund and aims at providing an open space for researchers to find out low, medium and high severity flaws. The developer of Tor browser Georg Koppen states:
“Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attack.”
The organization is looking to identify flaws in Tor Browser and Tor network daemon. Researchers are required to find flaws involving remote code execution, attack methods that might help in obtaining crypto data on clients or relays, local privilege escalation and illegal access to user data.
The prize money offered per flaw is certainly the real attraction. The organization is offering an amount between $2000 and $4000 for high severity bugs and between $500 and $2000 for medium severity flaws. If the vulnerability affects third-party libraries used by the Tor Project will also be rewarded with $500 to $2000 depending on severity. Low severity issues will fetch a reward of $100 at least, and if the bug is less severe, researchers can expect to receive souvenirs like T-shirts, stickers and get featured on Tor’s “hall of fame.”
Examples of vulnerabilities for each of these categories are also available with CVE references on the Tor Project’s official bug bounty page. It must be noted that third-party libraries like OpenSSL covered in other bug bounty programs are excluded from this one.
In January 2016, the Tor Project launched a private program where researchers identified three denial-of-service (DoS) vulnerabilities, one infinite loop issue, and two out-of-bounds (OOB) flaws. Along with that, four memory corruption flaws called “edge-case” were also identified.