Twitter Bug Bounty Official – Started Paying For Bugs

Use Netsparker


So the Twitter bug bounty program is now official, they are actually paying – and not a bad amount too. A minimum of $140 for a confirmed bug with no defined maximum.

This includes the Twitter website itself and any sub-domain (mobile, ads, apps etc), and the official mobile apps for iOS and Android. It’s somewhat strange it doesn’t mention Windows Phone as well, but I’d assume that’s included as it’s also an official app.

Twitter Bug Bounty

You can see the official tweet on the matter here:

Set up through the security response and bug bounty platform HackerOne, the program offers a minimum of $140 per threat. The maximum reward amount has not been defined.

The company is currently asking bug hunters to submit reports about bugs on its Twitter.com domain and subdomains (ads.twitter.com, apps.twitter.com, tweetdeck.twitter.com, and mobile.twitter.com) and its iOS and Android apps.

“Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program,” the company pointed out. “Common examples include: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Remote Code Execution (RCE), unauthorized access to protected tweets, unauthorized access to DMs, and so on.”


It includes all kinds of vulnerabilities, including those which some other companies brush off as “non-serious” like CSRF and XSS especially. Just don’t bother if you’re from Cuba, Sudan, North Korea, Iran or Syria because you won’t get paid.

They specifically list:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorized Access to Protected Tweets
  • Unauthorized Access to DMs

Reports about bugs on other Twitter properties or applications are welcome, but will not be eligible for a monetary reward – bug hunters will have to be content with a mention on the Twitter’s Hall of Fame, which is already populated with the names of 44 hackers.

In fact, Twitter’s bug reporting program on HackerOne has been up for three months now, but the company has only now announced that it will start paying out bounties.

So far, 46 of the reported bugs have been closed by the company’s security team, but reports received prior to September 3, 2014, are not eligible for monetary rewards.

“Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues,” the company noted, adding that the bug bounty program was started to “recognize their efforts and the important role they play in keeping Twitter safe for everyone.”

Things that do not quality (are outside the scope of the program) are issues such as:

  • Issues related to software or protocols not under Twitter control
  • Reports from automated tools or scans
  • Reports of spam (see here for more info)
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Twitter staff or contractors
  • Any physical attempts against Twitter property or data centers

The full details of the program can be found here: https://hackerone.com/twitter

It’s good to see more companies that are supporting responsible disclosure and putting their money where their mouths are. And honestly, the amount of money they have to pay out to make their platform and users more secure is minuscule compared to their over-bloated valuations.

Source: Help Net Security

Posted in: Exploits/Vulnerabilities, Web Hacking

, , ,


Latest Posts:


Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.


Comments are closed.