In January 2016, the Tor Project launched its first private bug bounty program on HackerOne. Today the Tor Project announced its public bug bounty program. We sat down with the Tor security team lead, Georg Koppen to learn more about the program, what it means for the industry, and how it fits into Tor’s security strategy. See the full Q&A below and check out Tor's page.
Q: Please introduce yourself and what you do for Tor?
I am Georg Koppen and have been working in the privacy and anonymity space for a while now. I am currently leading the Tor Browser team at the Tor Project.
Q: Why is the Tor Project important to worldwide open communication on the internet?
We provide the foremost tools allowing users to bypass censorship and tracking, major hindrances to open communication on the internet. Our users retain their privacy and are anonymous. With Tor, there is no single party that one needs to trust. User requests and responses are repeatedly bounced across three randomly selected Tor nodes. Our decentralized and robust design helps millions of users be safe online. For many, Tor is the only safe way to access the internet.
Q: Why is security so important to Tor?
Security is important for Tor because exploiting security holes in our software can easily lead to breaks in privacy and anonymity for our users. If our software contains serious coding flaws, the protections Tor offers can get bypassed by skilled attackers and compromise our users. If we're not secure, we're not delivering on our promise to users. We need to constantly address issues before they can potentially become a threat to our network.
Q: Why did you decide to launch a bug bounty program? Why are you working with hackers to improve your security?
We are advocates of free and open source software, and we even organize our development on open mailing lists and via open IRC channels. One of the main goals behind that is to invite researchers, users, and other interested parties to study our designs and our code in order to find flaws which we need to fix to provide even better protections for our users. We're grateful to have a lot of skilled volunteers that help us with this task, so it works pretty well. That said, starting a bug bounty program strengthens our commitment by financially rewarding people in our community who find bugs, and it helps us get the support of professional hackers who hunt bugs for a living.
Q: What tips do you have for organizations first starting out with a bug bounty program?
Take your time. First, start with a private bug bounty program to get used to the workflow. Get a feeling for how many resources you'll need to get back to bug reporters in a timely manner and get the reported bugs fixed.
Q: You recently transitioned from a private to public program, can you talk about the decision to go that route?
We first invited only a small number of researchers to inspect our code. Once we got better at organizing our workflow, we invited more and more researchers to join the bug hunting. Eventually, we reached a point where we felt we could handle going public. We knew going public would expand our relationships in the community and improve our results.
Q: What is different about Tor’s bug bounty program and why is opening up its software to hackers important?
I think a lot is potentially at stake with our program. Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. We're already open with our code, but the bug bounty program will help more people join us in keeping Tor safe by providing financial compensation for bugs on an open platform.
Q: Do you have any specific stories about an interesting or surprising bug found via a bounty? (Doesn’t have to be critical or high bounty value, just interesting)
Not about a bug in particular. But I was surprised by how bug hunters didn't just look at Tor and Tor Browser but scrutinized other software we use or provide, too; they found bugs in torsocks and libevent. So, we've not only benefitted from more eyes on the software specific to the bug bounty program, we've been able to make other tools more secure as well. I was not aware of that dynamic before we started, but I am very happy about it.
Q: What metrics do you track on your bounty program?
So far we don't have any elaborate metrics to track incoming bug reports. We sort them into Tor and Tor Browser issues and have developers from the respective team triage them and get them into the development cycle for fixing. But I can imagine we'll get enough data over time which will allow us to allocate development resources earlier and improve especially vulnerable parts in our code bases, for example. That prospect is pretty exciting!
Q: How does your bug bounty program supplement the work you and your security team does?
The bug bounty program is an important piece in the puzzle in that it reaches a new audience of bug hunters. Furthermore, we now have a platform available that makes it easy for us to openly interact with hackers and deal with incoming security reports. I expect we'll see more high-quality bug reports and get those fixed faster as a result.
Q: Where do you see your bug bounty program evolving to in the future? What goals do you have, what do you want to strive for from a security perspective?
We want to expand relationships with the research community and make our software more secure in the process. Reported bugs will help us to address issues before they can potentially become a threat to our network of users. I can easily see expanding the program’s scope beyond Tor and Tor Browser to cover other parts of our software ecosystem or even infrastructure as well.
Q: Why did Tor choose the HackerOne platform for its bug bounty program?
HackerOne is well known by the security community, and we wanted to pick a trusted platform for open communication with independent experts.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.