HackerOne is bringing bug hunting and software testing to open source developers to help make open source software more secure and safer to use.
A lot of modern tools and technologies depend on open source software, so a security flaw can wind up having a widespread impact — the Heartbleed flaw in OpenSSL, for example. Many open source projects still rely on the “thousand eyes” concept when it comes to software security — that anyone being able to see the source code means defects are found and fixed faster. While it’s true to some extent, it doesn’t apply if no one is actually looking at the code, as we’ve learned repeatedly over the past few years.
HackerOne’s platform helps software teams put together a comprehensive vulnerability management program, which is more than bug bounties alone. The platform helps teams handle vulnerability submissions, coordinate communications with involved parties, identify duplicate reports, and, yes, run bug bounty programs. All of these services are now available to open source projects for free as part of HackerOne Community Edition. Eligible projects must be covered by an OSI license and be at least three months old.
Core committers on an open source project don’t always have the time to go hunting in the code looking for security vulnerabilities. They already have to triage bug reports, add or refine features, and test proposed patches. Security testing happens rarely or sporadically, and unless someone reports a vulnerability, these flaws typically linger for a long time.
HackerOne solves the visibility problem in open source security by giving those eyeballs a place to look. If people don’t know about a particular project, then they won’t look at the source code to find security flaws. Someone interested in bug hunting is more likely to pick from a list of projects that welcome vulnerability submissions than randomly picking one out of the ether. HackerOne Community Edition helps software teams “define scope, receive vulnerability reports, manage those reports, and incentivize security researchers” to help harden the project, the company said.
This kind of coordination improves open source security because it lets projects get actionable security reports they otherwise may never see. It’s far better to have a coordinated process than to have the report posted on the full-disclosure mailing list or lose it because the researcher couldn’t find the correct email address to send the information.
Eligible projects need to add a security.md file in the project root with details on how testers can submit vulnerabilities. To continue using HackerOne Community Edition, the project team members have to be able to respond to new reports in a timely manner — in this case, less than a week.
The platform is free for the open source project owner, but HackerOne will still charge the usual 20 percent payment processing fee if the team has a program that pays out cash bounties for valid bugs. Customer service support isn’t included in the Community Edition, but HackerOne promised a “wealth of documentation” online.
The visibility problem tackles only a part of the open source security challenge, since these vulnerabilities still need to get fixed. If the project is underfunded or under-resourced (or both), then getting the updates and patches out in a timely manner will still be a problem. However, getting the reports is still a good place to start.
HackerOne has been used by many companies to run public and private bug bounty programs, including Adobe, Kaspersky Lab, Twitter, Microsoft, and Facebook. Its services aren’t limited to giant technology firms or commercial projects, either. To date, 36 open source projects, including Discourse, Django, and GitLab, have used HackerOne to power vulnerability management programs, addressing more than 1,200 vulnerabilities in their code.