Endpoint
1/15/2014
10:29 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Wickr Announces Bug Bounty Program--100 Million Messages Sent

Will pay hackers up to $100,000 to uncover any vulnerabilities that substantially affect the confidentiality or integrity of its users' data

By Dr. Robert Statica, Cofounder and CTO

January 14, 2014

Wickr is looking to recruit the best hackers in the world in a continuous effort to protect our users. Starting today, we are offering generous amounts of money for critical security bugs found in our app and responsibly disclosed.

Wickr will pay as much as US $100,000 for a vulnerability that substantially affects the confidentiality or integrity of user data. We will also consider paying the same amount for defense techniques and novel approaches to eliminating the vulnerability that are submitted at the same time. Our goal is to make this the most generous and successful bounty program in the world.

Beyond making lots of money, you can feel good about helping Wickr because we were founded to protect the basic human right of private correspondence. Private correspondence is extremely important to a free society. People all over the world depend on Wickr. Please help us with this mission.

To submit a bug, please contact us via email at bugbounty@mywickr.com. The program specifics are on the following pages.

Engaging Hackers

Beyond the Bug Bounty Program, Wickr engages with the best security firms in the world for code review and penetration testing. Veracode gave Wickr a perfect score on its first review. Furthermore, Wickr had the honor to be the target of a presentation at DEF CON 21 conducted by experts from Stroz Friedberg, one of the largest forensics companies in the world. The researchers analyzed Wickr, Snapchat and Facebook Poke to determine that while Snapchat and Facebook revealed personal information, Wickr indeed left no trace. We expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that do.

About Wickr

The Wickr team is made up of security and privacy experts who strongly believe online communications should be untraceable by default. Wickr is a free app enabling anyone to to send text, audio, picture and video messages that self-destruct because they are private, secure and anonymous. Unlike any other messaging app, Wickr binds each message to your device, clears metadata from files and permanently shreds deleted files from your device.

Since the launch in June 2012, Wickr has seen an exponential growth and 5-star reviews in the App Store. As a top ranked free social app in the U.S., China, India, Israel, Spain, South Africa and Brazil, we have served millions of secure messages. Wickr is headquartered in San Francisco, CA. More information is available at https://www.mywickr.com.

Wickr Bug Bounty Program

Program Statement

The Wickr Bug Bounty Program is designed to encourage responsible security research in Wickr software. It is impossible to overstate the importance of the role the security research community plays in securing modern software. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their research speeds the pace of advancing security to the benefit of all. With this program and partnership, we pledge to drive constant improvement relating to the security interests of our users, with the goal of keeping Wickr the most trusted messaging platform in the world.

Terms and Conditions

Wickr will issue rewards in return for qualifying security bugs. A qualifying security bug is any previously unreported design or implementation issue that substantially affects the confidentiality or integrity of user data.

Kids Welcome

Any age is welcome to participate. Wickr Android was first beta tested with the r00tz kids at DEF CON.

Submission Process

To submit a bug, please contact us via email at bugbounty@mywickr.com.

Judging

Judging will be done based on the severity of the exploits, the conditions in which it was possible to have that exploit, the impact the exploit had on the user's messages, the app's availability & proper functioning, on the routing of the messages, server storage availability and functionality, as well as on the quality and feasibility of the solution provided by the person discovering the exploit. At the request of Wickr, the person submitting the exploit must provide all the tools, procedures and algorithms used available for study by Wickr engineers.

Responsible Disclosure

We believe in responsible disclosure of security vulnerabilities. To allow sufficient time for internal review and remediation, and to qualify for reward, qualifying security bugs submitted under this program cannot be disclosed or reported to any third party within three (3) months of the date of submission without our written permission.

Rewards

Rewards range from $10,000 to $100,000, depending on our assessment of severity as calculated by likelihood and impact. Reward amounts are set entirely at the discretion of Wickr, and all determinations are final. The payments are in US dollars the beneficiary is responsible for all applicable taxes, fees and tariffs in the country of residence. Team submissions must split the reward.

The prize payment cannot be made anonymously and personal identifiable information (PII) must be provided to Wickr before payment can be made. The PII might contain the legal name, address, phone number and financial information like bank account number, etc.

All prizes and their money value are established by Wickr Inc and payable after all the requirements have been met and a solution to the exploit has been implemented and deployed.

Prohibitions

The scope of this program is limited to technical security vulnerabilities in Wickr software. Under no circumstances should your testing affect the availability of Wickr services, disrupt or compromise any data that is not your own, or violate any law or our Terms of Service.

Restrictions

To be eligible for the program, you must not:

• Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);

• Be employed by Wickr, Inc. or its subsidiaries

• Be an immediate family member of a person employed by Wickr, Inc. or its subsidiaries

Legal

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law and age. We reserve the right to cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion. Void where prohibited by law.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?