Endpoint
1/15/2014
10:29 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Wickr Announces Bug Bounty Program--100 Million Messages Sent

Will pay hackers up to $100,000 to uncover any vulnerabilities that substantially affect the confidentiality or integrity of its users' data

By Dr. Robert Statica, Cofounder and CTO

January 14, 2014

Wickr is looking to recruit the best hackers in the world in a continuous effort to protect our users. Starting today, we are offering generous amounts of money for critical security bugs found in our app and responsibly disclosed.

Wickr will pay as much as US $100,000 for a vulnerability that substantially affects the confidentiality or integrity of user data. We will also consider paying the same amount for defense techniques and novel approaches to eliminating the vulnerability that are submitted at the same time. Our goal is to make this the most generous and successful bounty program in the world.

Beyond making lots of money, you can feel good about helping Wickr because we were founded to protect the basic human right of private correspondence. Private correspondence is extremely important to a free society. People all over the world depend on Wickr. Please help us with this mission.

To submit a bug, please contact us via email at bugbounty@mywickr.com. The program specifics are on the following pages.

Engaging Hackers

Beyond the Bug Bounty Program, Wickr engages with the best security firms in the world for code review and penetration testing. Veracode gave Wickr a perfect score on its first review. Furthermore, Wickr had the honor to be the target of a presentation at DEF CON 21 conducted by experts from Stroz Friedberg, one of the largest forensics companies in the world. The researchers analyzed Wickr, Snapchat and Facebook Poke to determine that while Snapchat and Facebook revealed personal information, Wickr indeed left no trace. We expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that do.

About Wickr

The Wickr team is made up of security and privacy experts who strongly believe online communications should be untraceable by default. Wickr is a free app enabling anyone to to send text, audio, picture and video messages that self-destruct because they are private, secure and anonymous. Unlike any other messaging app, Wickr binds each message to your device, clears metadata from files and permanently shreds deleted files from your device.

Since the launch in June 2012, Wickr has seen an exponential growth and 5-star reviews in the App Store. As a top ranked free social app in the U.S., China, India, Israel, Spain, South Africa and Brazil, we have served millions of secure messages. Wickr is headquartered in San Francisco, CA. More information is available at https://www.mywickr.com.

Wickr Bug Bounty Program

Program Statement

The Wickr Bug Bounty Program is designed to encourage responsible security research in Wickr software. It is impossible to overstate the importance of the role the security research community plays in securing modern software. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their research speeds the pace of advancing security to the benefit of all. With this program and partnership, we pledge to drive constant improvement relating to the security interests of our users, with the goal of keeping Wickr the most trusted messaging platform in the world.

Terms and Conditions

Wickr will issue rewards in return for qualifying security bugs. A qualifying security bug is any previously unreported design or implementation issue that substantially affects the confidentiality or integrity of user data.

Kids Welcome

Any age is welcome to participate. Wickr Android was first beta tested with the r00tz kids at DEF CON.

Submission Process

To submit a bug, please contact us via email at bugbounty@mywickr.com.

Judging

Judging will be done based on the severity of the exploits, the conditions in which it was possible to have that exploit, the impact the exploit had on the user's messages, the app's availability & proper functioning, on the routing of the messages, server storage availability and functionality, as well as on the quality and feasibility of the solution provided by the person discovering the exploit. At the request of Wickr, the person submitting the exploit must provide all the tools, procedures and algorithms used available for study by Wickr engineers.

Responsible Disclosure

We believe in responsible disclosure of security vulnerabilities. To allow sufficient time for internal review and remediation, and to qualify for reward, qualifying security bugs submitted under this program cannot be disclosed or reported to any third party within three (3) months of the date of submission without our written permission.

Rewards

Rewards range from $10,000 to $100,000, depending on our assessment of severity as calculated by likelihood and impact. Reward amounts are set entirely at the discretion of Wickr, and all determinations are final. The payments are in US dollars the beneficiary is responsible for all applicable taxes, fees and tariffs in the country of residence. Team submissions must split the reward.

The prize payment cannot be made anonymously and personal identifiable information (PII) must be provided to Wickr before payment can be made. The PII might contain the legal name, address, phone number and financial information like bank account number, etc.

All prizes and their money value are established by Wickr Inc and payable after all the requirements have been met and a solution to the exploit has been implemented and deployed.

Prohibitions

The scope of this program is limited to technical security vulnerabilities in Wickr software. Under no circumstances should your testing affect the availability of Wickr services, disrupt or compromise any data that is not your own, or violate any law or our Terms of Service.

Restrictions

To be eligible for the program, you must not:

• Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);

• Be employed by Wickr, Inc. or its subsidiaries

• Be an immediate family member of a person employed by Wickr, Inc. or its subsidiaries

Legal

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law and age. We reserve the right to cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion. Void where prohibited by law.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.