Twitter swaps kudos for cash with launch of bug bounty security program

Twitter joins a growing number of companies opening to the crowd to keep its applications secure.
Written by Liam Tung, Contributing Writer

Twitter will start giving security researchers more than bragging rights for finding security flaws, with a new bounty program announced on Wednesday.

Twitter has partnered with third-party bug bounty program HackerOne to launch the rewards program, which offers a minimum of $140 for each bug and has no maximum payout for bugs disclosed responsibly.

"Twitter will determine in its discretion whether a reward should be granted and the amount of the reward. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active," it states on its HackerOne page.

Twitter announced the program yesterday but appears to have actually launched it three months ago, according to its HackerOne timeline. The page lists 46 bugs that have been fixed in that time, including bugs that weren't in the program's scope, such as flaws in Vine.

The program offers cash rewards for vulnerabilities found in *.twitter.com, as well as the Twitter apps for iOS and Android. In other words, that means no payouts for Twitter's many other ad companies, or Vine and Tweetdeck — bugs reported for those properties are still eligible for its Hall of Fame instead. However, Twitter notes, more products may be brought within the scope of the program in future.

Until now, Twitter has remained in the Hall of Fame camp, only giving researchers who find bugs in its software kudos rather than cash. Others in this group include Apple, Adobe, eBay, Evernote, BlackBerry, and Uber.

Perhaps the most widely known bug bounty program is Google's, which has been in operation since 2010, and last month awarded one researcher $30,000 for detecting a combined attack in Chrome 37 that could have lead to remote execution outside of the Chrome sandbox. Its rewards officially range between $20,000 and $100 for qualifying bugs.

Firefox maker Mozilla launched its first bug bounty program in 2004. Earlier this year, in the wake of the Heartbleed bug, it posted a special $10,000 bounty for bugs in Firefox's new certificate verification library.

Others that have since adopted the bounty model include Microsoft, which offers up to $100,000 in a single payout, Yahoo and eBay/PayPal

Read more on this story

Editorial standards