Tor Project to launch bug bounty program in 2016
After a year of growth and challenges, the Tor Project will offer exploit bounties as incentives for researchers to review its code and uncover vulnerabilities specific to its apps.
The Tor Project will launch a bug bounty program in 2016, Mike Perry, lead developer of the Tor Browser and Tor Performance developer, said during the State of the Onion [video] address at the Chaos Communication Congress in Hamburg on Tuesday.
Perry explained that the program, which has the Tor Project partnering with HackerOne, initially would “start out invite-only so we can get used to flow and scale up.” The program will be made public “later in the year to basically provide people with incentive to review our code to look for vulnerabilities that might be specific to our applications,” he said.
Perry and his team have had a challenging year “keeping up with Firefox release treadmill,” ensuring that “their features adhere to our privacy models” and that the Tor releases come out same day as the Mozilla releases so that no vulnerability is left exposed. He said there was a “solid three-to-four months where we felt like we were doing a release every two weeks.”
Another goal of the development team in 2016 will be to “try to convince Mozilla to adopt our idea of isolating third-party identifiers,” Perry added.
"More and more people are just doing regular things,” said Appelbaum, who added that the Tor Project ended up working with an unlikely partner, Facebook (more specifically the social media giant's engineer, Alec Muffett), to get the Internet Engineering Task Force to designate .onion as a Special-Use Domain name. As a result, “ICANN [Internet Corporation For Assigned Names and Numbers] won't sell .onion to anyone,” he said.