If you consider yourself something of a white hat hacker, listen up: you’ve got a new service to poke at without fear of getting hauled into court, and it’s a big one.
Last night at the BlackHat security conference, Square‘s resident hacker Dino Dai Zovi announced that the company would be launching a bug bounty program soon. This morning, that program went live.
I figure most TechCrunch readers are plenty familiar with the concept of a bug bounty program, but in case you’re not: it’s a company’s way of officially declaring that they don’t mind if you dig around for security vulnerabilities, as long as you follow their rules and let them know if anything turns up.
In exchange, they’ll credit you for the discovery and kick down a chunk of cash as a sign of thanks, with the amount you’re paid generally going hand-in-hand with how severe the bug could’ve been. Square is setting the minimum bounty at $250 bucks.
It’s also a promise from the company that they won’t try to crush you in court, as long as you follow their rules for disclosing a bug. You can find Square’s terms here, but they’re all pretty standard: tell Square about the issue ASAP, don’t disclose the issue to others without fair warning, don’t DDoS their servers, don’t break the law, etc. Square also specifically prohibits social engineering of their employees and physical attempts like breaking into Square’s datacenter.
The concept of a bug hunt/responsible disclosure program is by no means unique to Square. Most big companies launch one at some point — but how (or even if) a company rewards bug hunters can vary greatly. Bugcrowd has a pretty solid list of Bug Bounty programs over here.
[Image via Chris Harrison on Flickr, used under CreativeCommons]