Tech

Twitter pays out over $322,000 to bug bounty hunters

Remote code execution flaws do not appear to be at the top of the list, however.

Written by Charlie Osborne, Contributing Writer June 1, 2016 at 2:49 a.m. PT

Twitter has revealed that the firm has paid out $322,420 to bug bounty hunters in only two years.

It was not that long ago that researchers seeking to report security vulnerabilities in systems and software had few outlets to do so. Emails and contact forms were the standard communication channel, and should a bug be investigated and deemed valid, the researcher was likely to receive little more than a pat on the back and perhaps public credit.

However, things have changed. Cyberthreats and data breaches are now a daily occurrence, which means businesses looking to protect their products and networks have to either hire in-house or seek external help to discover and fix problems before they can be exploited.

A number of firms are now either establishing their own bug bounty programs or turning to platforms such as HackerOne to monitor and run programs for them. As cybersecurity skills are now in hot demand, the majority of corporations now offer financial rewards and incentives to entice researchers to spend time ferreting out vulnerabilities on their behalf.

Twitter is one such company. The microblogging platform's bug bounty program has been running for two years, resulting in thousands of dollars being awarded to researchers for reporting a total of 5,171 security issues.

According to Twitter software engineer Arkadiy Tetelman, 1,662 researchers have signed up to disclose programs on the Twitter platform to date.

In two years, 20 percent of the bugs found within the system have been publicly disclosed -- after they have been fixed and when a researcher requests permission to make vulnerabilities public -- and as payout amounts increase, so do the number of submissions.

While Twitter's minimum payout is $120 for problems which are not very severe, the average payout per bug is $835. However, Twitter's highest payout to date is $12,040, and a single researcher was able to make $54,000 in 2015 alone.

There have been some important bugs reported through the program which are of note. A HTTP response bug which allowed attackers to send victims to a valid page with headers controlled by cybercriminals has been patched, alongside an XSS problem within the Android Crashlytics application. A simple insecure direct object reference bug which permitted attackers to delete all credit cards stored on the platform has also been fixed.

Twitter also offers a minimum payout of $15,000 for remote code execution vulnerabilities but so far, no reports have been submitted.

The bug bounty program has been a success for Twitter in the same way as any other company. However, just like rival firms, the microblogging platform also has in-house open security positions available -- which is unsurprising considering the cybersecurity skill shortage.

In the meantime, bug bounty programs are likely to remain a key way for companies to keep their networks as safe as possible.