Technology

HackerOne goes all pro-bono on open source

Eligible open source projects will receive HackerOne's Professional service for free.

March 6, 2017

(Getty)

One of the original crowdsourced bug bounty programs is offering its services free to open source projects — as a way to contribute to the maintenance of the internet infrastructure we all rely on.

“Open source runs through our veins,” HackerOne spokeswoman Lauren Koszarek told CyberScoop by email. “We know that open source underpins many products and services that we use every day so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs.

“We want to give something back,” she said.

Outside of web-geek circles, few people realize the extent to which the internet is based on open source software that is often developed, maintained and updated by volunteers. OpenSSL, for instance, the open source cryptographic software library that was discovered to be vulnerable to the massive Heartbleed vulnerability, was maintained by three part-time volunteers. But when the Heartbleed coding error was discovered, it affected a majority of the internet’s websites.

Although OpenSSL got grants and other support following Heartbleed, many vital parts of the internet infrastructure continue to be maintained on a collaborative, voluntary basis through open source projects on which coders work together often in the their spare time.

“Eligible open source projects will receive the powerful HackerOne Professional service for free,” Explained Koszarek. To be eligible, projects must be available for wide use under an Open Source Initiative license; be active for at least three months; provide instructions for researchers to submit bug findings; advertise the HackerOne program; and respond to new vulnerability reports within a week.

For eligible projects, the company’s Community Edition platform will provide “vulnerability submission, coordination, dupe detection, analytics, and bounty programs,” and “greatly simplify how you define scope, receive vulnerability reports, manage those reports, and incentivize security researchers to help harden your project.”

HackerOne does not pay any bounties itself. It’s up to the companies using its system to decide how they want to reward the hackers who find bugs — with cash rewards or with kudos points, which raise the finders’ earning power across the entire HackerOne ecosystem. Likewise, it will be up to the open source projects who join the platform to decide what reward system to use.

HackerOne goes all pro-bono on open source

More Like This

House hurtles toward showdown over expiring surveillance tools

Civil society groups press platforms to step up election integrity work

Six-year old bug will likely live forever in Lenovo, Intel products

Top Stories

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

‘Large volume’ of data stolen from UN agency after ransomware attack

FBI director warns of China’s preparations for disruptive infrastructure attacks

More Scoops

Supply chain attack sends shockwaves through open-source community

White House releases report on securing open-source software

DOD expands vulnerability disclosure program, giving hackers more approved targets

HackerOne, Verizon Media weigh pros and cons of making live hacking contests virtual

TikTok unveils bug bounty program, scraps with US government in court over looming ban

What Shopify has learned from five years of bug bounty programs

HackerOne cuts ties with mobile voting firm Voatz after it clashed with researchers

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics