So the Twitter bug bounty program is now official, they are actually paying – and not a bad amount too. A minimum of $140 for a confirmed bug with no defined maximum.
This includes the Twitter website itself and any sub-domain (mobile, ads, apps etc), and the official mobile apps for iOS and Android. It’s somewhat strange it doesn’t mention Windows Phone as well, but I’d assume that’s included as it’s also an official app.
You can see the official tweet on the matter here:
We're introducing a bug bounty program to thank researchers for responsibly-disclosed issues. Learn more: https://t.co/cXkWDsQuRe.
— Twitter Security (@twittersecurity) September 3, 2014
Set up through the security response and bug bounty platform HackerOne, the program offers a minimum of $140 per threat. The maximum reward amount has not been defined.
The company is currently asking bug hunters to submit reports about bugs on its Twitter.com domain and subdomains (ads.twitter.com, apps.twitter.com, tweetdeck.twitter.com, and mobile.twitter.com) and its iOS and Android apps.
“Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program,” the company pointed out. “Common examples include: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Remote Code Execution (RCE), unauthorized access to protected tweets, unauthorized access to DMs, and so on.”
It includes all kinds of vulnerabilities, including those which some other companies brush off as “non-serious” like CSRF and XSS especially. Just don’t bother if you’re from Cuba, Sudan, North Korea, Iran or Syria because you won’t get paid.
They specifically list:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Remote Code Execution (RCE)
- Unauthorized Access to Protected Tweets
- Unauthorized Access to DMs
Reports about bugs on other Twitter properties or applications are welcome, but will not be eligible for a monetary reward – bug hunters will have to be content with a mention on the Twitter’s Hall of Fame, which is already populated with the names of 44 hackers.
In fact, Twitter’s bug reporting program on HackerOne has been up for three months now, but the company has only now announced that it will start paying out bounties.
So far, 46 of the reported bugs have been closed by the company’s security team, but reports received prior to September 3, 2014, are not eligible for monetary rewards.
“Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues,” the company noted, adding that the bug bounty program was started to “recognize their efforts and the important role they play in keeping Twitter safe for everyone.”
Things that do not quality (are outside the scope of the program) are issues such as:
- Issues related to software or protocols not under Twitter control
- Reports from automated tools or scans
- Reports of spam (see here for more info)
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering of Twitter staff or contractors
- Any physical attempts against Twitter property or data centers
The full details of the program can be found here: https://hackerone.com/twitter
It’s good to see more companies that are supporting responsible disclosure and putting their money where their mouths are. And honestly, the amount of money they have to pay out to make their platform and users more secure is minuscule compared to their over-bloated valuations.
Source: Help Net Security