HackerOne opens up bug bounties to open source


HackerOne is bringing bug hunting and software testing to open source developers to help make open source software more secure and safer to use.

A lot of modern tools and technologies depend on open source software, so a security flaw can wind up having a widespread impact — the Heartbleed flaw in OpenSSL, for example. Many open source projects still rely on the “thousand eyes” concept when it comes to software security — that anyone being able to see the source code means defects are found and fixed faster. While it’s true to some extent, it doesn’t apply if no one is actually looking at the code, as we’ve learned repeatedly over the past few years.

HackerOne’s platform helps software teams put together a comprehensive vulnerability management program, which is more than bug bounties alone. The platform helps teams handle vulnerability submissions, coordinate communications with involved parties, identify duplicate reports, and, yes, run bug bounty programs. All of these services are now available to open source projects for free as part of HackerOne Community Edition. Eligible projects must be covered by an OSI license and be at least three months old.

Core committers on an open source project don’t always have the time to go hunting in the code looking for security vulnerabilities. They already have to triage bug reports, add or refine features, and test proposed patches. Security testing happens rarely or sporadically, and unless someone reports a vulnerability, these flaws typically linger for a long time.