Following security breaches that have shook confidence in many online services, Twitter today announced the launch of its bug bounty program that will pay security researchers for responsibly reporting threats through HackerOne, a bug bounty program provider. Twitter will pay a minimum of $140 per threat reported on Twitter.com, ads.twitter, mobile Twitter, TweetDeck, apps.twitter, and its iOS and Android apps. Twitter actually began working with HackerOne three months ago according to its bug timeline, but it seems the Apple celebrity photo hack has catapulted cybersecurity to a new level of mainstream interest, and Twitter wanted to show that it takes keeping its users safe quite seriously.
Twitter writes “To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.” Already the program has recognized 44 hackers for helping Twitter close 46 bugs.
Some large companies like Facebook run their own bug bounty programs, but HackerOne offers a plug-and-play solution for companies that want the benefits of crowdsourced bug hunting without having to fiddle with administering the program themselves. Others that employ HackerOne include Yahoo, Square, MailChimp, Slack and Coinbase. HackerOne recently raised $9 million to expand and market its programs. HackerOne was co-founder by Alex Rice, a former Facebook security team member who saw the social network’s self-run bug bounty program save the company from tons of threats.
For comparison, Twitter offers a higher minimum reward than the $50 Yahoo provides or the $100 from Slack, but significantly less than the $1,000 bounty from Coinbase, $250 from Square, or the $500 Facebook provides with its in-house program.
Some are calling on Apple to work more closely with outside security research following the celebrity photo iCloud hacks this week. Instead, yesterday it passed blame on to users for not choosing more secure passwords or enabling additional protections. While it does cooperate with independent experts via VUPEN, some believe a more open program could have identified some of the tactics used to steal access to iCloud accounts of stars like Jennifer Lawrence. Perhaps Twitter’s move will encourage Apple to rethink how it includes the community in boosting security.