Invite-only bug bounty criticised for turning up the heat on Tor
HackerOne squares up to critics
Backers of a private bug bounty for Tor have defended the project in the face of criticism from a leading security researcher.
The invite-only exploit bug bounty program for the Tor anonymization network is being organised through HackerOne.
Tor has long been a target for foreign states and intel agencies. This has been well known among security researchers for years, even before elements of the Edward Snowden leaks confirmed that such shenanigans had taken place.
Security researcher Mark Litchfield told El Reg that Tor has turned the heat up on itself while simultaneously looking towards the wrong type of people to root out bugs.
Publicising the project is likely to mean every foreign state, agency is now actively hacking Tor to ensure they can get some “window of opportunity” before it may be discovered by someone else, according to Litchfield.
“Tor is absolutely a target for agencies and foreign states,” Litchfield argued. “So to shout out everywhere about a Bug Bounty Program, and then make it a private one which will be around 15-20 researchers is crazy.”
“All they have done is turn up the heat for these black hats to get some bugs in Tor sooner rather than later. The shelf life of any bug they may have found or will find might become a lot shorter.”
El Reg passed on these criticisms to HackerOne which responded with a robust defence of the Tor bug bounty.
"Tor's invitation-only bounty program is akin to a beta release to ensure a higher quality experience when they do take the program public,” HackerOne co-founder and CTO Alex Rice explained. “Many view it as a best practice for a company to launch an invite program first, so their security team is better prepared for a public program down the line. Invite programs on HackerOne are not limited to 15-20 researchers, but rather over 100 in cases.”
“Tor didn't want to develop this program in secret, which is why they announced our partnership as soon as they were committed to a bug bounty program. This is both for transparency and to solicit valuable feedback from the internet community. They have explicitly stated that they plan to release the program broadly later this year,” he added.
Show me the money
Tor seemingly does not understand the average Bug Hunter, who Litchfield reckons have probably never attacked a “client” or used a debugger in their careers, both core skills for this type of enterprise.
“There are not exactly what I would call hard core researchers that understand assembly language or have probably never used a debugger or tools like IDA,” he told El Reg. “These researchers are fundamentally web app hackers. Their concern is the amount of reports they are going to receive.”
Tor has left themselves in a position now where it will have 15-20 researchers on a "private" bug bounty program, who are most likely incapable of doing this type of research.
HackerOne disputed Litchfield’s assessment that 'bug hunters only know web apps' is incorrect. Other great bug bounty examples outside web apps include Pwn2Own, Chrome/Firefox/IE, Internet Bug Bounty (SSL, Programming Languages, Flash, etc).
“Bounty programs are effective across all aspects of technology,” according to HackerOne.
Litchfield remains concerned that Tor just brought a whole lot of unnecessary attention to themselves, their product and network for an insufficient response in pursuit of uncertain rewards.
Tor is a "valuable" target for attack. Any decent bug is worth really good money to surveillance agencies and foreign states.
“They better have awards that at least compete with Zerodium, otherwise it's a complete waste of time,” according to Litchfield. ®