January 14, 2014
Wickr is looking to recruit the best hackers in the world in a continuous effort to protect our users. Starting today, we are offering generous amounts of money for critical security bugs found in our app and responsibly disclosed.
Wickr will pay as much as US $100,000 for a vulnerability that substantially affects the confidentiality or integrity of user data. We will also consider paying the same amount for defense techniques and novel approaches to eliminating the vulnerability that are submitted at the same time. Our goal is to make this the most generous and successful bounty program in the world.
Beyond making lots of money, you can feel good about helping Wickr because we were founded to protect the basic human right of private correspondence. Private correspondence is extremely important to a free society. People all over the world depend on Wickr. Please help us with this mission.
To submit a bug, please contact us via email at [email protected] The program specifics are on the following pages.
Beyond the Bug Bounty Program, Wickr engages with the best security firms in the world for code review and penetration testing. Veracode gave Wickr a perfect score on its first review. Furthermore, Wickr had the honor to be the target of a presentation at DEF CON 21 conducted by experts from Stroz Friedberg, one of the largest forensics companies in the world. The researchers analyzed Wickr, Snapchat and Facebook Poke to determine that while Snapchat and Facebook revealed personal information, Wickr indeed left no trace. We expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that do.
The Wickr team is made up of security and privacy experts who strongly believe online communications should be untraceable by default. Wickr is a free app enabling anyone to to send text, audio, picture and video messages that self-destruct because they are private, secure and anonymous. Unlike any other messaging app, Wickr binds each message to your device, clears metadata from files and permanently shreds deleted files from your device.
Since the launch in June 2012, Wickr has seen an exponential growth and 5-star reviews in the App Store. As a top ranked free social app in the U.S., China, India, Israel, Spain, South Africa and Brazil, we have served millions of secure messages. Wickr is headquartered in San Francisco, CA. More information is available at https://www.mywickr.com.
Wickr Bug Bounty Program
The Wickr Bug Bounty Program is designed to encourage responsible security research in Wickr software. It is impossible to overstate the importance of the role the security research community plays in securing modern software. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their research speeds the pace of advancing security to the benefit of all. With this program and partnership, we pledge to drive constant improvement relating to the security interests of our users, with the goal of keeping Wickr the most trusted messaging platform in the world.
Terms and Conditions
Wickr will issue rewards in return for qualifying security bugs. A qualifying security bug is any previously unreported design or implementation issue that substantially affects the confidentiality or integrity of user data.
Any age is welcome to participate. Wickr Android was first beta tested with the r00tz kids at DEF CON.
To submit a bug, please contact us via email at [email protected]
Judging will be done based on the severity of the exploits, the conditions in which it was possible to have that exploit, the impact the exploit had on the user's messages, the app's availability & proper functioning, on the routing of the messages, server storage availability and functionality, as well as on the quality and feasibility of the solution provided by the person discovering the exploit. At the request of Wickr, the person submitting the exploit must provide all the tools, procedures and algorithms used available for study by Wickr engineers.
We believe in responsible disclosure of security vulnerabilities. To allow sufficient time for internal review and remediation, and to qualify for reward, qualifying security bugs submitted under this program cannot be disclosed or reported to any third party within three (3) months of the date of submission without our written permission.
Rewards range from $10,000 to $100,000, depending on our assessment of severity as calculated by likelihood and impact. Reward amounts are set entirely at the discretion of Wickr, and all determinations are final. The payments are in US dollars the beneficiary is responsible for all applicable taxes, fees and tariffs in the country of residence. Team submissions must split the reward.
The prize payment cannot be made anonymously and personal identifiable information (PII) must be provided to Wickr before payment can be made. The PII might contain the legal name, address, phone number and financial information like bank account number, etc.
All prizes and their money value are established by Wickr Inc and payable after all the requirements have been met and a solution to the exploit has been implemented and deployed.
The scope of this program is limited to technical security vulnerabilities in Wickr software. Under no circumstances should your testing affect the availability of Wickr services, disrupt or compromise any data that is not your own, or violate any law or our Terms of Service.
To be eligible for the program, you must not:
• Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
• Be employed by Wickr, Inc. or its subsidiaries
• Be an immediate family member of a person employed by Wickr, Inc. or its subsidiaries
You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law and age. We reserve the right to cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion. Void where prohibited by law.