#HackTor: Tor Opens up its Bug Bounty Program

The Tor Project has teamed up with HackerOne to invite hackers to find vulnerabilities in its online anonymization platform used by 1.5 million citizens, journalists, privacy advocates, and dissidents around the globe.

The new public bug bounty program expands on its two-year-old invite-only bug bounty project that doled out a total of $2,200 for seven vulnerability finds, including crash and denial-of-service and edge-case memory-corruption flaws. Under its new public bug bounty program, which Tor announced with the #HackTor moniker, Tor is offering up to $4,000 per bug find, depending on the severity and impact of the flaw.

Tor is hoping the program will help it root out some specific vulnerabilities in its Tor network daemon and browser software: local privilege escalation, unauthorized access of user data, leakages of crypto material of relays or clients, and remote code execution.

"After experiencing the success of the private bug bounty program, we're electing to open up our program to all hackers willing to comply with the scope of the program on an ongoing basis. The private bounty brought us quality bug reports and helped us fixing issues not only in software eligible under the bug bounty program, but also in other tools we produce or use," Tor browser team lead Georg Koppen said via an email interview.

Tor's bug bounty is sponsored by the Open Technology Fund, an organization that supports Internet freedom initiatives worldwide. 

Alex Rice, co-founder and CTO of HackerOne, a bug bounty platform service, says many organizations start with a private bug-bounty program to get their feet wet. "Tor made the decision rather than ramping up rewards to ramp up the number of hackers" searching for vulnerabilities in its software, he says.

Over the past year and a half, Tor had begun inviting more hackers to its closed program and upping the amount of its awards to bug finders, Rice notes.

"The stakes for vulnerabilities in a technology like Tor are so much higher than the average organization," Rice says. "People using Tor are human rights advocates, privacy advocates, and individuals going to extremes to protect their privacy because often their lives are in danger if that privacy technology reveals them."

But the flip side to Tor's popularity is that it's also used by seedy elements of the Internet world: the infamous AlphaBay Darkweb underground marketplace, for example, which now has gone dark after a massive law enforcement operation, employed Tor to mask the identity of its participants.

Related Content: