Twitter announced on Wednesday the launch of its own bug bounty program, rewarding security researchers for “responsibly-disclosed issues.”
We’re introducing a bug bounty program to thank researchers for responsibly-disclosed issues. Learn more: https://t.co/cXkWDsQuRe.
— Twitter Security (@twittersecurity) September 3, 2014
In collaboration with HackerOne, the social media network will reward researchers with a minimum of $140 for each vulnerability reported, with the payout depending on the criticality of the bug.
“We’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues,” states Twitter’s HackerOne page.
“To recognize their efforts and the important role they play in keeping Twitter safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities.”
In addition to the Twitter.com domain, the program also applies to various other subdomains, such as ads.twitter.com, apps.twitter.com, tweetdeck.twitter.com and mobile.twitter.com, as well as its iOS and Android apps.
Common vulnerabilities that security researchers could cash out on include unauthorized access to DMs, unauthorized access to protected tweets, cross-site scripting (XSS), cross-site request forgery (CSRF) and remote code execution (RCE).
“Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program,” said Twitter, adding that other Twitter properties or applications may be added in the future.
The cash reward is a new addition to Twitter’ HackerOne program, which has been active for about three months. So far, the site reports 44 hackers have been “thanked” and 46 bugs have been disclosed. The site also lists “Top Hackers” under a “Hall of Fame.”
Tim Erlin, Tripwire’s director of IT security and risk strategy said bug bounty programs have proven to be an effective tool for vendors to drive towards responsible disclosure by providing financial motivation than favors a vendor-first response.
“While Twitter’s minimum payment of $140, to match the 140 characters allowed in a tweet, is a nice touch, the real value lies in driving discovered bugs to Twitter developers, instead of into underground communities of potential attackers.”
“A bug bounty program also provides the vendor with a clear, quantifiable cost to target for reduction through improved development practices. Bug bounty programs make sense at the business level, so it’s no surprise that Twitter is following suit with their own process.”
Security researchers may agree that bug bounty programs are a great way to incentivize security research, since it’s much easier for researchers to justify privately disclosing a bug when they know they’re getting a payout. However, even though a company pays a bug bounty, they still need to be diligent about issuing a fix quickly.
“There is nothing stopping a researcher from selling a bug to multiple sources,” said Lamar Bailey, Tripwire’s director of the Vulnerability and Exposure Research Team (VERT).
The social media network is now one of many major Internet companies that aim to make the Web safer for users, including Facebook, Yahoo! and Mozilla. In July, Google also announced “Project Zero,” its new security research team working disclosing vulnerabilities across the Internet.
Read More Here…