Tor Project Launches Big Bounty Program: Earn Up to $4,000 for Discovered Bugs
The Tor ProjectThe Tor Project is a nonprofit organization dedicated to protecting online privacy and ensuring uncensored access to the internet. Emerging from U.S. Naval Research Lab experiments with onion routing in the 1990s, Tor evolved into a decentralized, volunteer-powered network that hides user identities by routing traffic through multiple encrypted relays. Since the launch of the Tor Browser in 2008, it has become a crucial tool for activists, journalists, and everyday users worldwide—supporting free expression during events like the Arab Spring and proving resilient in the face of mass surveillance disclosures. Today, Tor is sustained by a global community committed to human rights, transparency, and digital freedom. More has officially launched a public bug bounty program, offering rewards of up to $4,000 for finding vulnerabilities. The idea of a public reward program was first discussed by Tor developers at the end of 2015. A private bug bounty program began in January 2016, which helped specialists uncover several bugs, including denial-of-service (DoS) and out-of-bounds (OOB) vulnerabilities.
Now, with support from the Open Technology Fund, the Tor ProjectThe Tor Project is a nonprofit organization dedicated to protecting online privacy and ensuring uncensored access to the internet. Emerging from U.S. Naval Research Lab experiments with onion routing in the 1990s, Tor evolved into a decentralized, volunteer-powered network that hides user identities by routing traffic through multiple encrypted relays. Since the launch of the Tor Browser in 2008, it has become a crucial tool for activists, journalists, and everyday users worldwide—supporting free expression during events like the Arab Spring and proving resilient in the face of mass surveillance disclosures. Today, Tor is sustained by a global community committed to human rights, transparency, and digital freedom. More has announced the launch of an open bug bounty program on the HackerOne platform. Participants are invited to search for bugs in the Tor Browser and the Tor network daemon. The program is interested in vulnerabilities that allow privilege escalation, remote code execution, unauthorized access to user data, as well as information about attack methods that could extract encrypted data from nodes and clients.
Reward Structure
- High-severity bugs: $2,000–$4,000
- Medium-severity bugs: $500–$2,000
- Minor issues: $100 or, in some cases, no cash prize but a gift such as a T-shirt, stickers, and a spot in the Tor Hall of Fame
Bugs found in third-party libraries used by Tor (as long as those libraries are not already part of other bug bounty initiatives like IBB) are also eligible for rewards ranging from $500 to $2,000. However, the developers specifically note that the program does not cover OpenSSL.