Tor network will pay you to hack it through new bug bounty program

Tor wants to find bugs which could compromise the identity of its users.
Written by Charlie Osborne, Contributing Writer

The Tor Project has joined with HackerOne to launch a public bug bounty program aimed at finding vulnerabilities which could compromise the anti-surveillance network.

The Tor network is a system of nodes and relays used to mask online activity, as well as access areas of the Internet not indexed by so-called "clear web" search engines.

While sometimes associated with Dark web illegal trading and nefarious goods, Tor is also a key tool for activists, privacy enthusiasts, and journalists looking to keep their online activities private.

Cybercriminals and governments alike are constantly poking the system to find vulnerabilities to exploit for surveillance purposes.

This year, the FBI used a "non-public' vulnerability to unmask individuals connected to child pornography, but as the agency refused to reveal how this was achieved, the case was dropped.

Tor is not 100 percent safe from compromise; no system is. However, to close the net on any bugs which may be used in similar ways in the future -- no matter the cause -- Tor is asking researchers to scour the network for any weak links.

"Millions of people around the world depend on Tor to browse the internet privately and securely every day, so our security is critical," The Tor team says. "Bugs in our code pose one of the biggest threats to our users' safety; they allow skilled attackers to bypass Tor's protections and compromise the safety of Tor users."

On Thursday, Tor launched a public bug bounty program under the moniker #HackTor. Hosted on the HackerOne platform, the scheme is specifically targeting security flaws in the Tor network daemon and Tor browser used to access the network.

In particular, Tor would like to see reports of any remote code execution flaws, local privilege escalation, unauthorized access of user data, or attacks that cause the leakage of crypto material of relays or clients.

Depending on the severity of the issue, researchers can expect to earn up to $4,000 per report.

The public bug bounty follows in the steps of a private program launched in January 2016 which resulted in three denial-of-service flaws and four edge-case memory corruption bugs being discovered, fixed, and rewarded.

See also: The 10 step guide to using Tor to protect your privacy

Tor Browser chief Georg Koppen told HackerOne that the decision to go public was made once the private system allowed the Tor team to better organize their workflow.

"We want to expand relationships with the research community and make our software more secure in the process," Koppen says. "Reported bugs will help us to address issues before they can potentially become a threat to our network of users."

"I can easily see expanding the program's scope beyond Tor and Tor Browser to cover other parts of our software ecosystem or even infrastructure as well," he added.

Must-have mobile apps to encrypt your texts and calls

Editorial standards