Here at HackerOne, open source runs through our veins. Our company, product, and approach is built-on, inspired by, and driven by open source and a culture of collaborative software development. As such, we want to give something back.
We are delighted to announce the HackerOne Community Edition. Put simply, eligible open source projects will receive the powerful HackerOne Professional service for free. This will provide vulnerability submission, coordination, dupe detection, analytics, and bounty programs for your projects. It greatly simplifies how you define scope, receive vulnerability reports, manage those reports, and incentivize security researchers to help harden your project.
Open source projects such as Ruby, Rails, Discourse, Django, GitLab, Brave, and Sentry are already using HackerOne, and open source projects have resolved over 1,200 vulnerabilities on HackerOne.
As part of the HackerOne Community Edition, we will provide a full featured instance of HackerOne Professional to any eligible project (more on this below). Quick caveat is, dedicated customer success support isn’t included, but we do have a wealth of documentation online.
Helping to ease security in open source projects
Our primary focus at HackerOne is to help make the Internet safer. As part of this we know that open source underpins many products and services that we use every day so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs.
Jeff Atwood, co-founder of the popular Discourse open source project says, "Our HackerOne program has been a definite success for us -- a new way to get actionable security reports that improve the security of the open source Discourse project for everyone.”. He continues, “a public bounty program is an essential element of the defense in depth philosophy that underpins all security efforts."
"We use HackerOne in the GitLab project and it has been a helpful way to invite vulnerability submissions, coordinate them, and get these issues resolved”, says Sid Sijbrandij, co-founder of GitLab. “I think this will be really helpful to open source projects to manage their security programs."
“As open source has become an increasing component in how organizations consume technology, the workflow of how people build these projects is critical”, says Jono Bacon, leading community strategist/manager, and previous director of community at Canonical, GitHub, and XPRIZE. He continues, “I am delighted to see HackerOne provide a key component in this workflow in much the same way code hosting/review, continuous integration, containerization and other pieces have become staple pieces.”
Is my project eligible?
All open source projects are welcome to apply if they meet the following requirements:
Open Source projects - your project scope must only be Open Source projects that are covered by an OSI license.
Be ready - your project must be active and at least 3 months old (age is defined by shipped releases/code contributions).
Create a policy - you will add a SECURITY.md in your project root that provides details for how to submit vulnerabilities (example).
Advertise your program - you will display a link to your HackerOne profile from either the primary or secondary navigation on your project's website.
Be active - you will maintain an initial response to new reports of less than a week.
If you believe your project fulfills these requirements, you can learn more about this offering and then submit an application.
So get those applications rolling in, share the good news on social, or email an open source pal.
We’re here for you, internet.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.