Tor launches Bug Bounty Program, hackers can earn between $2,000 and $4,000 for high severity flaws

The Tor Project announced the launch of a public bug bounty program. Bug hunters can earn between $2,000 and $4,000 for high severity flaws.

It’s official, the Tor Project announced the launch of a public bug bounty program through the HackerOne platform, the initiative was possible with support from the Open Technology Fund.

“With support from the Open Technology Fund, we’re launching our first public bug bounty with HackerOne. We’re specifically looking for your help to find bugs in Tor (the network daemon) and Tor Browser. A few of the vulnerabilities we’re looking for include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of crypto material of relays or clients, and remote code execution.” states the official announcement.

Hackers can earn thousands of dollars if they find serious vulnerabilities in the Tor network that could be exploited to track its users.

This isn’t the first time the Tor Project announces the launch of a bounty program, the Tor Project first announced it in December 2015. The Tor Project launched a private program in January 2016 and bug hunters reported three denial-of-service (DoS) flaws, and four memory corruption issues.

Back to the present, the Tor Project is looking for flaws in the Tor network daemon and Tor Browser.

The experts at the organizations are interested in any kind of vulnerability that could be exploited to compromise Tor relays and the Tor browsers, this means that it is open the hunt for local privilege escalation, remote code execution, unauthorized access of user data, and other attack vectors.

Bug hunters can earn between $2,000 and $4,000 for high severity vulnerabilities, while medium severity issues are worth between $500 and $2,000, while low severity issues go for at least $100. Even less severe problems will be rewarded with a t-shirt, stickers and a mention in Tor’s hall of fame. On its bug bounty page, the Tor Project provides examples for each category of vulnerabilities, including with CVE references.

The organization will also reward issues with a t-shirt, stickers and a mention in Tor’s hall of fame.

The organization will reward also flaws discovered in third-party libraries used by Tor, hackers can earn between $500 and $2,000, if the flawed libraries aren’t covered by other bug bounty programs.

“Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks,” continues the announcement.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Tor bug bounty program, hacking)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.