Vulnerabilities / Threats

7/20/2017
04:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

#HackTor: Tor Opens up its Bug Bounty Program

The popular identity-cloaking service has expanded its private, invite-only vulnerability discovery program to an open one via HackerOne.

The Tor Project has teamed up with HackerOne to invite hackers to find vulnerabilities in its online anonymization platform used by 1.5 million citizens, journalists, privacy advocates, and dissidents around the globe.

The new public bug bounty program expands on its two-year-old invite-only bug bounty project that doled out a total of $2,200 for seven vulnerability finds, including crash and denial-of-service and edge-case memory-corruption flaws. Under its new public bug bounty program, which Tor announced with the #HackTor moniker, Tor is offering up to $4,000 per bug find, depending on the severity and impact of the flaw.

Tor is hoping the program will help it root out some specific vulnerabilities in its Tor network daemon and browser software: local privilege escalation, unauthorized access of user data, leakages of crypto material of relays or clients, and remote code execution.

"After experiencing the success of the private bug bounty program, we're electing to open up our program to all hackers willing to comply with the scope of the program on an ongoing basis. The private bounty brought us quality bug reports and helped us fixing issues not only in software eligible under the bug bounty program, but also in other tools we produce or use," Tor browser team lead Georg Koppen said via an email interview.

Tor's bug bounty is sponsored by the Open Technology Fund, an organization that supports Internet freedom initiatives worldwide. 

Alex Rice, co-founder and CTO of HackerOne, a bug bounty platform service, says many organizations start with a private bug-bounty program to get their feet wet. "Tor made the decision rather than ramping up rewards to ramp up the number of hackers" searching for vulnerabilities in its software, he says.

Over the past year and a half, Tor had begun inviting more hackers to its closed program and upping the amount of its awards to bug finders, Rice notes.

"The stakes for vulnerabilities in a technology like Tor are so much higher than the average organization," Rice says. "People using Tor are human rights advocates, privacy advocates, and individuals going to extremes to protect their privacy because often their lives are in danger if that privacy technology reveals them."

But the flip side to Tor's popularity is that it's also used by seedy elements of the Internet world: the infamous AlphaBay Darkweb underground marketplace, for example, which now has gone dark after a massive law enforcement operation, employed Tor to mask the identity of its participants.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6443
PUBLISHED: 2019-01-22
A vulnerability in Brocade Network Advisor Versions before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration interface of an affected system using an undocumented user credentials and install additional JEE applications. A remote unauthenticated user who ha...
CVE-2018-6444
PUBLISHED: 2019-01-22
A Vulnerability in Brocade Network Advisor versions before 14.1.0 could allow a remote unauthenticated attacker to execute arbitray code. The vulnerability could also be exploited to execute arbitrary OS Commands.
CVE-2018-6445
PUBLISHED: 2019-01-22
A Vulnerability in Brocade Network Advisor versions before 14.0.3 could allow a remote unauthenticated attacker to export the current user database which includes the encrypted (not hashed) password of the systems. The attacker could gain access to the Brocade Network Advisor System after extracting...
CVE-2019-6507
PUBLISHED: 2019-01-22
An issue was discovered in creditease-sec insight through 2018-09-11. login_user_delete in srcpm/app/admin/views.py allows CSRF.
CVE-2019-6508
PUBLISHED: 2019-01-22
An issue was discovered in creditease-sec insight through 2018-09-11. role_perm_delete in srcpm/app/admin/views.py allows CSRF.