Pierluigi Paganini July 20, 2017

The Tor Project announced the launch of a public bug bounty program. Bug hunters can earn between $2,000 and $4,000 for high severity flaws.

It’s official, the Tor Project announced the launch of a public bug bounty program through the HackerOne platform, the initiative was possible with support from the Open Technology Fund.

“With support from the Open Technology Fund, we’re launching our first public bug bounty with HackerOne. We’re specifically looking for your help to find bugs in Tor (the network daemon) and Tor Browser. A few of the vulnerabilities we’re looking for include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of crypto material of relays or clients, and remote code execution.” states the official announcement.

Hackers can earn thousands of dollars if they find serious vulnerabilities in the Tor network that could be exploited to track its users.

This isn’t the first time the Tor Project announces the launch of a bounty program, the Tor Project first announced it in December 2015. The Tor Project launched a private program in January 2016 and bug hunters reported three denial-of-service (DoS) flaws, and four memory corruption issues.

Back to the present, the Tor Project is looking for flaws in the Tor network daemon and Tor Browser.

The experts at the organizations are interested in any kind of vulnerability that could be exploited to compromise Tor relays and the Tor browsers, this means that it is open the hunt for local privilege escalation, remote code execution, unauthorized access of user data, and other attack vectors.

Bug hunters can earn between $2,000 and $4,000 for high severity vulnerabilities, while medium severity issues are worth between $500 and $2,000, while low severity issues go for at least $100. Even less severe problems will be rewarded with a t-shirt, stickers and a mention in Tor’s hall of fame. On its bug bounty page, the Tor Project provides examples for each category of vulnerabilities, including with CVE references.

The organization will also reward issues with a t-shirt, stickers and a mention in Tor’s hall of fame.

The organization will reward also flaws discovered in third-party libraries used by Tor, hackers can earn between $500 and $2,000, if the flawed libraries aren’t covered by other bug bounty programs.

“Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks,” continues the announcement.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Tor bug bounty program, hacking)

[adrotate banner=”13″]