Vulnerabilities / Threats

7/20/2017
04:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

#HackTor: Tor Opens up its Bug Bounty Program

The popular identity-cloaking service has expanded its private, invite-only vulnerability discovery program to an open one via HackerOne.

The Tor Project has teamed up with HackerOne to invite hackers to find vulnerabilities in its online anonymization platform used by 1.5 million citizens, journalists, privacy advocates, and dissidents around the globe.

The new public bug bounty program expands on its two-year-old invite-only bug bounty project that doled out a total of $2,200 for seven vulnerability finds, including crash and denial-of-service and edge-case memory-corruption flaws. Under its new public bug bounty program, which Tor announced with the #HackTor moniker, Tor is offering up to $4,000 per bug find, depending on the severity and impact of the flaw.

Tor is hoping the program will help it root out some specific vulnerabilities in its Tor network daemon and browser software: local privilege escalation, unauthorized access of user data, leakages of crypto material of relays or clients, and remote code execution.

"After experiencing the success of the private bug bounty program, we're electing to open up our program to all hackers willing to comply with the scope of the program on an ongoing basis. The private bounty brought us quality bug reports and helped us fixing issues not only in software eligible under the bug bounty program, but also in other tools we produce or use," Tor browser team lead Georg Koppen said via an email interview.

Tor's bug bounty is sponsored by the Open Technology Fund, an organization that supports Internet freedom initiatives worldwide. 

Alex Rice, co-founder and CTO of HackerOne, a bug bounty platform service, says many organizations start with a private bug-bounty program to get their feet wet. "Tor made the decision rather than ramping up rewards to ramp up the number of hackers" searching for vulnerabilities in its software, he says.

Over the past year and a half, Tor had begun inviting more hackers to its closed program and upping the amount of its awards to bug finders, Rice notes.

"The stakes for vulnerabilities in a technology like Tor are so much higher than the average organization," Rice says. "People using Tor are human rights advocates, privacy advocates, and individuals going to extremes to protect their privacy because often their lives are in danger if that privacy technology reveals them."

But the flip side to Tor's popularity is that it's also used by seedy elements of the Internet world: the infamous AlphaBay Darkweb underground marketplace, for example, which now has gone dark after a massive law enforcement operation, employed Tor to mask the identity of its participants.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1503
PUBLISHED: 2018-07-23
IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow a remotely authenticated attacker to to send invalid or malformed headers that could cause messages to no longer be transmitted via the affected channel. IBM X-Force ID: 141339.
CVE-2018-1513
PUBLISHED: 2018-07-23
IBM Sterling B2B Integrator Standard Edition 5.2.0 through 5.2.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IB...
CVE-2018-6677
PUBLISHED: 2018-07-23
Directory Traversal vulnerability in the administrative user interface in McAfee Web Gateway (MWG) MWG 7.8.1.x allows authenticated administrator users to gain elevated privileges via unspecified vectors.
CVE-2018-6678
PUBLISHED: 2018-07-23
Configuration/Environment manipulation vulnerability in the administrative interface in McAfee Web Gateway (MWG) MWG 7.8.1.x allows authenticated administrator users to execute arbitrary commands via unspecified vectors.
CVE-2018-14512
PUBLISHED: 2018-07-23
An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[nickname] parameter to the index.php?m=core&f=set&v=sendmail URI. When the administrator accesses the "system settings - mail ...