The VICE Channels

    The Tor Project Is Starting a Bug Bounty Program

    Written by

    Joseph Cox


    The Tor Project, the non-profit that maintains software for anonymity on the internet, will soon be offering a bug bounty program, meaning those who find vulnerabilities in Tor applications could get paid for their efforts.

    The announcement was made during the recurring “State of the Onion” talk at Chaos Communication Congress, an art, politics and security conference held annually in Hamburg, Germany.

    “We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved,” Nick Mathewson, co-founder, researcher, and chief architect of the Tor Project told Motherboard. The program will start in the new year.

    Bug bounties are payments made by companies or organisations to researchers who find problems in their website or products, and who then report them. For example Microsoft offers bounties, as do a host of other companies, large and small.

    This approach sits in stark contrast to hackers who find vulnerabilities and, instead of informing the company affected so that the problems can be fixed, sell the details to governments or private surveillance companies, sometimes via a proxy, which can then take advantage of the vulnerabilities in offensive attacks.

    In November, researchers were awarded $1 million by new exploit company Zerodium for hacking the latest iOS operating system. Zerodium will pay $30,000 for an exploit that affects the Tor Browser.

    Bug bounties typically award researchers a lower fee, however, ranging from a few hundred dollars to tens of thousands. In 2014, Facebook paid a total of $1.3 million in bounties.

    “We have a sponsor, OTF [Open Technology Fund], who is paying HackerOne, a company that specializes in this, to help us do it,” Roger Dingledine, co-founder and research director of the Tor Project, told Motherboard.

    HackerOne is a platform for connecting researchers who discover vulnerabilities and the companies affected by them. HackerOne raised $25 million in private funding earlier this year.

    “The program will start out invite-only,” Mike Perry, lead developer of the Tor Browser, said during the talk, and added that vulnerabilities “specific to our applications” would fall into the program.

    “This program will encourage people to look at our code, find flaws in it, and help us to improve it,” Mathewson said.