Now HackerOne-led, the initiative simplifies how organizations and hackers can contribute to the security of open-source software

SAN FRANCISCO, September 21, 2021 — HackerOne, the leader in human-powered security, today announced the next evolution of the Internet Bug Bounty (IBB) program at the company’s annual Security@ conference. The IBB’s mission is to secure open source by pooling funding and incentivizing security researchers to report vulnerabilities within open source software. The updated program builds upon this mission by providing a new pooled funding model so more organizations can leverage the IBB to secure open-source dependencies within their software supply chains. Along with HackerOne, participating partners are organizations that rely on open source for software supply chains and other critical digital infrastructure, including Elastic, Facebook, Figma, GitHub, Shopify, and TikTok.

"TikTok is proud to support innovative initiatives like the HackerOne IBB pilot program to further strengthen not only TikTok's security, but also to drive a safer internet for all by leveraging the efforts of the global security research community," said Roland Cloutier, TikTok CSO.

Open-source software is behind nearly all modern digital infrastructure, with the average application using 528 different open-source components. The majority of high-risk open-source vulnerabilities discovered in 2020 have also existed in code for more than two years, and most organizations lack direct control over open-source software within supply chains to easily fix these weaknesses. The IBB has already made progress in addressing these challenges, with more than 1,000 flaws uncovered in open-source projects since its initial launch in 2013, leading to $900,000 in bounties awarded to nearly 300 hackers.

“Recent cyberattacks against software supply chains demonstrate the urgency of securing these organizational blind spots. And open source software represents a growing portion of the world’s critical supply chain attack surfaces,” said Alex Rice, CTO and co-founder of HackerOne. “The new IBB empowers organizations that are beneficiaries of open source to play an active role in collectively building more secure digital infrastructure for everyone.”

The new funding model and unified program improve incentives for partners, maintainers, and hackers to secure open-source projects. Specifically, the new program makes three key changes to the original IBB:

  • Pooled defenses from existing bounty programs: HackerOne customers will be able to leverage the IBB to secure open source components within their enterprise's supply chain by pooling 1-10% of their existing HackerOne bug bounty spend with others that share their risk.
  • Support across the vulnerability lifecycle: Bounties will be divided between hackers and maintainers via an 80/20 bounty split. Since open-source software maintainers volunteer to help remediate vulnerabilities that are discovered, the bounty split ensures payment for every stakeholder that contributes to vulnerability management.
  • Simplified vulnerability submission: A consolidated submission flow and a dedicated HackerOne support team will improve the hacker experience.

“The GitHub Security Lab focuses on fostering collaboration between security researchers and open-source maintainers to secure the open-source software we all depend on,” said Xavier René-Corail, director of security research at GitHub Security Lab. “With its focus on coordinated disclosure and high-impact security fixes, the Internet Bug Bounty program is a unique opportunity to further promote a collaborative community-based approach to open source security by incentivizing both the security researcher and the maintainer.”

The new IBB will help fund some of the most commonly used open-source software projects on the internet, including Curl, Django, Electron, Node.js, Ruby, and more. Eventually, HackerOne plans to open the program to more projects and any HackerOne customer that wants to help secure the open source components of their software supply chain.

If you or your organization is interested in contributing to the IBB as a partner, or you want to learn more about the new IBB, visit: www.hackerone.com/internet-bug-bounty.


About HackerOne

HackerOne empowers the world to build a safer internet. As the world’s most trusted hacker-powered security platform, HackerOne gives organizations access to the largest community of hackers on the planet. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Intel, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Starbucks, Twitter, and Verizon Media. HackerOne was ranked fifth on the Fast Company World’s Most Innovative Companies list for 2020.