Tor Project Launches Big Bounty Program: Earn Up to $4,000 for Discovered Bugs

The Tor Project has officially launched a public bug bounty program, offering rewards of up to $4,000 for finding vulnerabilities. The idea of a public reward program was first discussed by Tor developers at the end of 2015. A private bug bounty program began in January 2016, which helped specialists uncover several bugs, including denial-of-service (DoS) and out-of-bounds (OOB) vulnerabilities.

Now, with support from the Open Technology Fund, the Tor Project has announced the launch of an open bug bounty program on the HackerOne platform. Participants are invited to search for bugs in the Tor Browser and the Tor network daemon. The program is interested in vulnerabilities that allow privilege escalation, remote code execution, unauthorized access to user data, as well as information about attack methods that could extract encrypted data from nodes and clients.

Reward Structure

• High-severity bugs: $2,000–$4,000
• Medium-severity bugs: $500–$2,000
• Minor issues: $100 or, in some cases, no cash prize but a gift such as a T-shirt, stickers, and a spot in the Tor Hall of Fame

Bugs found in third-party libraries used by Tor (as long as those libraries are not already part of other bug bounty initiatives like IBB) are also eligible for rewards ranging from $500 to $2,000. However, the developers specifically note that the program does not cover OpenSSL.