Twitter writes “To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.” Already the program has recognized 44 hackers for helping Twitter close 46 bugs.
Some large companies like Facebook run their own bug bounty programs, butHackerOne offers a plug-and-play solution for companies that want the benefits of crowdsourced bug hunting without having to fiddle with adminsitering the program themselves. Others that employ HackerOne include Yahoo, Square, MailChimp, Slack and Coinbase. HackerOne recently raised $9 million to expand and market its programs. HackerOne was co-founder by Alex Rice, a former Facebook security team member who saw the social network’s self-run bug bounty program save the company from tons of threats.
For comparison, Twitter offers a higher minimum reward than the $50 Yahoo provides or the $100 from Slack, but significantly less than the $1,000 bounty from Coinbase, $250 from Square, or the $500 Facebook provides with its in-house program.
Some are calling on Apple to work more closely with outside security research following the celebrity photo iCloud hacks this week. Instead, yesterday itpassed blame on to users for not choosing more secure passwords or enabling additional protections. While it does cooperate with independent experts viaVUPEN, some believe a more open program could have identified some of the tactics used to steal access to iCloud accounts of stars like Jennifer Lawrence. Perhaps Twitter’s move will encourage Apple to rethink how it includes the community in boosting security.