Twitter turns to volunteer security researchers to find potential bugs it might have before hackers found out about it.
This move is made after online services’ confidence wavered following security breaches that victimized a group of celebrities. Twitter has made its own move to prevent such things from happening to them.
The company introduced a “bug bounty program” that will offer a minimum reward of $140 for every report of bug or any vulnerability. They tapped the services of HackerOne, a program established for independent security researchers, to recognize the important role the program plays to keep Twitter “safe for everyone”. For every issue a researcher reports on Twitter’s iOS and Android apps, TweetDeck, apps.twitter, ads.twitter, mobile Twitter, and Twitter.com, the company will pay some cash as a thank you for their time.
While Twitter started working with HackerOne three months ago, it seems that the highly publicized celebrity photo hack has thrown cybersecurity to a higher level of interest and Twitter wants to show its users that they are serious in keeping them safe.
Big companies like Facebook have their own bug bounty programs but HackerOne is employed by other companies such as Yahoo, MailChimp, Coinbase, Square, and Slack. Twitter’s minimum reward is more than Yahoo’s $50 reward and Slack’s $100. Coinbase offers the highest reward with $1000; Square with $250, while Facebook provides $500 with its in-house program.
Twitter also says that there’s no maximum reward and that the amount depends on the severity of the bug that was reported.
However, Twitter has set a few qualifications that must be met before you can be eligible for the reward.
The reward will only go to the first person to report the bug, meaning even if you have discovered one and reported it, if someone else beats you to it, there will be no reward for you. You also can’t disclose the bug before Twitter has the time to fix it. This is to prevent malicious parties from taking advantage of the bug. This is a common practice for security researchers who finds vulnerabilities and bugs even if there are no rewards. Some security researchers, however, reveal the bugs in public if they deem that the company is not acting quickly to patch a problem.
There are also countries, such as Sudan, North Korea, Syria, Iran, and Cuba, where national law prohibits Twitter from paying hackers and if you’re living in any of these countries, you’re prohibited from joining the program.
Through the first three months of the early tests of the program, Twitter has already paid 44 hackers and closed 46 bugs, according to the HackerOne website. The hackers will also get the chance to be featured in a hall of fame, still as a part of the company’s way of thanking them.
Bug bounty programs are very important as it allows experts to try to find any vulnerability before they are found by malicious hackers.
Apple, whose iCloud service was faulted for the leaked photos, does not have a bug bounty program