One of the original crowdsourced bug bounty programs is offering its services free to open source projects — as a way to contribute to the maintenance of the internet infrastructure we all rely on.
“Open source runs through our veins,” HackerOne spokeswoman Lauren Koszarek told CyberScoop by email. “We know that open source underpins many products and services that we use every day so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs.
“We want to give something back,” she said.
Outside of web-geek circles, few people realize the extent to which the internet is based on open source software that is often developed, maintained and updated by volunteers. OpenSSL, for instance, the open source cryptographic software library that was discovered to be vulnerable to the massive Heartbleed vulnerability, was maintained by three part-time volunteers. But when the Heartbleed coding error was discovered, it affected a majority of the internet’s websites.
Although OpenSSL got grants and other support following Heartbleed, many vital parts of the internet infrastructure continue to be maintained on a collaborative, voluntary basis through open source projects on which coders work together often in the their spare time.
“Eligible open source projects will receive the powerful HackerOne Professional service for free,” Explained Koszarek. To be eligible, projects must be available for wide use under an Open Source Initiative license; be active for at least three months; provide instructions for researchers to submit bug findings; advertise the HackerOne program; and respond to new vulnerability reports within a week.
For eligible projects, the company’s Community Edition platform will provide “vulnerability submission, coordination, dupe detection, analytics, and bounty programs,” and “greatly simplify how you define scope, receive vulnerability reports, manage those reports, and incentivize security researchers to help harden your project.”
HackerOne does not pay any bounties itself. It’s up to the companies using its system to decide how they want to reward the hackers who find bugs — with cash rewards or with kudos points, which raise the finders’ earning power across the entire HackerOne ecosystem. Likewise, it will be up to the open source projects who join the platform to decide what reward system to use.