Tor Project launches bug bounty program

Following reports of security flaws which could compromise the network, Tor is launching a program to weed out additional problems.
Written by Charlie Osborne, Contributing Writer

Anonymizing network Tor has secured the help of sponsors to launch a bug bounty network designed to stamp out vulnerabilities which may risk user privacy.


The new bug bounty program is due to start in the new year, launching first as an invite-only scheme before opening up fully to researchers.

The Tor Project is a non-profit organization which operates the Onion network, a relay-and-node system designed to make user tracking online very difficult.

The network is used by activists, researchers, journalists and users attempting to circumvent censorship set in place by governments, and at the same time, is a thorn in the side for law enforcement.

While Tor's setup makes it very difficult to track down users, no system is completely full-proof. In July, reports surfaced revealing researchers had developed a method to uncloak users called "circuit fingerprinting." While now fixed, the situation highlighted how important it is for the network to maintain high levels of security -- and external eyes can potentially find bugs that Tor's volunteers cannot.

Security flaws can not only be exploited by attackers but also sold on for use by governments and intelligence agencies. Exploit broker Zerodium, for example, offers up to $30,000 for previously unreported zero-day vulnerabilities impacting the Tor network.

Bug bounties are a means to draft in additional help from security professionals to patch these problems. Offered by companies ranging from Google to Microsoft, bug bounties offer credit and sometimes financial rewards to researchers for reporting problems rather than selling them on in the underground or publishing them publicly before firms have a chance to fix issues.

See also: Bug bounties: Which companies offer researchers cash?

The Tor Project's new bug bounty program was announced during the "State of the Onion" talk at the Chaos Communication Congress conference, held in Hamburg, Germany.

As reported by Motherboard, the non-profit said that vulnerabilities "specific to our applications" will be included within the program.

There are no details currently available on the rewards offered to researchers who report Tor flaws -- whether it be cash or credit -- but the organization does have help in luring external experts to contribute to the surveillance-thwarting network.

The Open Technology Fund (OTF), an institution which issues grants for projects and ideas which "change in the Internet landscape" has signed on as a sponsor to support the bug bounty program.

OTF works with companies which improve access to the Internet, offer tools to circumvent blocks as well as improve security and privacy. As Tor's full focus is on scrubbing away the digital footprints of users and enhancing individual privacy, it is a candidate for funding by OTF.

Nick Mathewson, co-founder, researcher, and chief architect of the Tor Project told the publication:

"We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved."

In a recent interview with Tor, former US National Security Agency contractor Edward Snowden called Tor a "critical technology" which resists the surveillance efforts of governments and assists in defending the public's right to privacy.

"The design of the Tor system is structured in such a way that even if the US government wanted to subvert it, it couldn't because it's a decentralized authority," Snowden said. "It's a volunteer based network. Nobody's getting paid to run Tor relays -- they're volunteers worldwide. And because of this, it provides a built-in structural defense against abuses and most types of adversaries."

Last month, the non-profit launched a fundraising effort in the hopes of securing additional investment to improve and shore up the defenses of the anonymizing onion network as well as launch "educational" projects. Current sponsors of the network include Reddit and the National Science Foundation.

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards