Twitter launches bug bounty program
With a simple tweet, Twitter has officially launched its own bug bounty program.
Set up through the security response and bug bounty platform HackerOne, the program offers a minimum of $140 per threat. The maximum reward amount has not been defined.
The company is currently asking bug hunters to submit reports about bugs on its Twitter.com domain and subdomains (ads.twitter.com, apps.twitter.com, tweetdeck.twitter.com, and mobile.twitter.com) and its iOS and Android apps.
“Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program,” the company pointed out. “Common examples include: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Remote Code Execution (RCE), unauthorized access to protected tweets, unauthorized access to DMs, and so on.”
Reports about bugs on other Twitter properties or applications are welcome, but will not be eligible for a monetary reward – bug hunters will have to be content with a mention on the Twitter’s Hall of Fame, which is already populated with the names of 44 hackers.
In fact, Twitter’s bug reporting program on HackerOne has been up for three months now, but the company has only now announced that it will start paying out bounties.
So far, 46 of the reported bugs have been closed by the company’s security team, but reports received prior to September 3, 2014, are not eligible for monetary rewards.
“Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues,” the company noted, adding that the bug bounty program was started to “recognize their efforts and the important role they play in keeping Twitter safe for everyone.”
If you’re interested in more about bug bounty programs, check out Lessons learned from running 95 bug bounty programs with Casey Ellis, CEO at Bugcrowd.