HackerOne updates Internet Bug Bounty program to improve the security of open source software
HackerOne announced the next evolution of the Internet Bug Bounty (IBB) program at the company’s annual Security conference. The IBB’s mission is to secure open source by pooling funding and incentivizing security researchers to report vulnerabilities within open source software.
The updated program builds upon this mission by providing a new pooled funding model so more organizations can leverage the IBB to secure open source dependencies within their software supply chains. Along with HackerOne, participating partners are organizations that rely on open source for software supply chains and other critical digital infrastructure, including Elastic, Facebook, Figma, GitHub, Shopify, and TikTok.
“TikTok is proud to support innovative initiatives like the HackerOne IBB pilot program to further strengthen not only TikTok’s security, but also to drive a safer internet for all by leveraging the efforts of the global security research community,” said Roland Cloutier, TikTok Chief Security Officer.
Open source software is behind nearly all modern digital infrastructure, with the average application using 528 different open source components. The majority of high risk open source vulnerabilities discovered in 2020 have also existed in code for more than two years and most organizations lack direct control over open source software within supply chains to easily fix these weaknesses. The IBB has already made progress addressing these challenges, with more than 1,000 flaws uncovered in open source projects since its initial launch in 2013, leading to $900,000 in bounties awarded to nearly 300 hackers.
“Recent cyberattacks against software supply chains demonstrate the urgency of securing these organizational blind spots. And open source software represents a growing portion of the world’s critical supply chain attack surfaces,” said Alex Rice CTO and co-founder of HackerOne. “The new IBB empowers organizations that are beneficiaries of open source to play an active role in collectively building more secure digital infrastructure for everyone.”
The new funding model and unified program improve incentives for partners, maintainers, and hackers to secure open source projects. Specifically, the new program makes three key changes to the original IBB:
- Pooled defenses from existing bounty programs – HackerOne customers will be able to leverage the IBB to secure open source components within their enterprise’s supply chain, by pooling 1-10% of their existing HackerOne bug bounty spend with others that share their risk.
- Support across the vulnerability lifecycle – Bounties will be divided between hackers and maintainers via an 80/20 bounty split. Since open source software maintainers volunteer to help remediate vulnerabilities that are discovered, the bounty split ensures payment for every stakeholder that contributes to vulnerability management.
- Simplified vulnerability submission – A consolidated submission flow and dedicated HackerOne support team will improve the hacker experience.
“The GitHub Security Lab focuses on fostering collaboration between security researchers and open source maintainers, to secure the open source software we all depend on,” said Xavier René-Corail, Director, Security Research at GitHub Security Lab. “With its focus on coordinated disclosure and high-impact security fixes, the Internet Bug Bounty program is a unique opportunity to further promote a collaborative community-based approach to open source security, by incentivizing both the security researcher and the maintainer.”
The new IBB will help fund some of the most commonly used open source software projects on the internet, including Curl, Django, Electron, Node.js, Ruby, and more. Eventually, HackerOne plans to open the program to more projects and any HackerOne customer that wants to help secure the open source components of their software supply chain.