Endpoint
1/15/2014
10:29 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Wickr Announces Bug Bounty Program--100 Million Messages Sent

Will pay hackers up to $100,000 to uncover any vulnerabilities that substantially affect the confidentiality or integrity of its users' data

By Dr. Robert Statica, Cofounder and CTO

January 14, 2014

Wickr is looking to recruit the best hackers in the world in a continuous effort to protect our users. Starting today, we are offering generous amounts of money for critical security bugs found in our app and responsibly disclosed.

Wickr will pay as much as US $100,000 for a vulnerability that substantially affects the confidentiality or integrity of user data. We will also consider paying the same amount for defense techniques and novel approaches to eliminating the vulnerability that are submitted at the same time. Our goal is to make this the most generous and successful bounty program in the world.

Beyond making lots of money, you can feel good about helping Wickr because we were founded to protect the basic human right of private correspondence. Private correspondence is extremely important to a free society. People all over the world depend on Wickr. Please help us with this mission.

To submit a bug, please contact us via email at bugbounty@mywickr.com. The program specifics are on the following pages.

Engaging Hackers

Beyond the Bug Bounty Program, Wickr engages with the best security firms in the world for code review and penetration testing. Veracode gave Wickr a perfect score on its first review. Furthermore, Wickr had the honor to be the target of a presentation at DEF CON 21 conducted by experts from Stroz Friedberg, one of the largest forensics companies in the world. The researchers analyzed Wickr, Snapchat and Facebook Poke to determine that while Snapchat and Facebook revealed personal information, Wickr indeed left no trace. We expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that do.

About Wickr

The Wickr team is made up of security and privacy experts who strongly believe online communications should be untraceable by default. Wickr is a free app enabling anyone to to send text, audio, picture and video messages that self-destruct because they are private, secure and anonymous. Unlike any other messaging app, Wickr binds each message to your device, clears metadata from files and permanently shreds deleted files from your device.

Since the launch in June 2012, Wickr has seen an exponential growth and 5-star reviews in the App Store. As a top ranked free social app in the U.S., China, India, Israel, Spain, South Africa and Brazil, we have served millions of secure messages. Wickr is headquartered in San Francisco, CA. More information is available at https://www.mywickr.com.

Wickr Bug Bounty Program

Program Statement

The Wickr Bug Bounty Program is designed to encourage responsible security research in Wickr software. It is impossible to overstate the importance of the role the security research community plays in securing modern software. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their research speeds the pace of advancing security to the benefit of all. With this program and partnership, we pledge to drive constant improvement relating to the security interests of our users, with the goal of keeping Wickr the most trusted messaging platform in the world.

Terms and Conditions

Wickr will issue rewards in return for qualifying security bugs. A qualifying security bug is any previously unreported design or implementation issue that substantially affects the confidentiality or integrity of user data.

Kids Welcome

Any age is welcome to participate. Wickr Android was first beta tested with the r00tz kids at DEF CON.

Submission Process

To submit a bug, please contact us via email at bugbounty@mywickr.com.

Judging

Judging will be done based on the severity of the exploits, the conditions in which it was possible to have that exploit, the impact the exploit had on the user's messages, the app's availability & proper functioning, on the routing of the messages, server storage availability and functionality, as well as on the quality and feasibility of the solution provided by the person discovering the exploit. At the request of Wickr, the person submitting the exploit must provide all the tools, procedures and algorithms used available for study by Wickr engineers.

Responsible Disclosure

We believe in responsible disclosure of security vulnerabilities. To allow sufficient time for internal review and remediation, and to qualify for reward, qualifying security bugs submitted under this program cannot be disclosed or reported to any third party within three (3) months of the date of submission without our written permission.

Rewards

Rewards range from $10,000 to $100,000, depending on our assessment of severity as calculated by likelihood and impact. Reward amounts are set entirely at the discretion of Wickr, and all determinations are final. The payments are in US dollars the beneficiary is responsible for all applicable taxes, fees and tariffs in the country of residence. Team submissions must split the reward.

The prize payment cannot be made anonymously and personal identifiable information (PII) must be provided to Wickr before payment can be made. The PII might contain the legal name, address, phone number and financial information like bank account number, etc.

All prizes and their money value are established by Wickr Inc and payable after all the requirements have been met and a solution to the exploit has been implemented and deployed.

Prohibitions

The scope of this program is limited to technical security vulnerabilities in Wickr software. Under no circumstances should your testing affect the availability of Wickr services, disrupt or compromise any data that is not your own, or violate any law or our Terms of Service.

Restrictions

To be eligible for the program, you must not:

• Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);

• Be employed by Wickr, Inc. or its subsidiaries

• Be an immediate family member of a person employed by Wickr, Inc. or its subsidiaries

Legal

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law and age. We reserve the right to cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion. Void where prohibited by law.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.