Tor launches bug bounty campaign

Onion router asks security researchers to keep eyes peeled for flaws

Onion router asks security researchers to keep eyes peeled for flaws
Onion router asks security researchers to keep eyes peeled for flaws

The Tor Project has launched a bug bounty programme to help uncover vulnerabilities in the Tor applications.

The programme was announced during the project's “State of the Onion” speech at the Chaos Communication Congress, an annual security and politics conference held in Hamburg.

“We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved,” Nick Mathewson, co-founder, researcher, and chief architect of the Tor Project told Motherboard. The programme will start in 2016.

Details of what the programme will involve are sketchy and while SCMagazineUK.com contacted Tor Project for comment, no response has been received at the time of writing. However, it is thought that the programme will be limited at first, with a select group of security researchers invited to find bugs “specific to our applications” said Mike Perry, lead developer of the Tor Browser. Bug finders could be inline for rewards ranging from a few hundred to tens of thousands of pounds.

Support for the programme comes from the Open Technology Fund and professional bug bounty organisation HackerOne. The latter confirmed involvement in a tweet.

Roger Dingledine, one of the original developers of Tor, said at Tuesday's talk that the Tor Network was “really, really growing”.

“More and more people [are] just doing regular things with Tor, protecting themselves,” he said.

The Tor Project has been frustrated in its attempts to close holes in its app as law enforcement and security agencies have managed to find flaws in the software as a means to crack down on political activists and criminals, but have not divulged those flaws back to the project itself.

These security crackdowns have led to the perception that Tor had been compromised and thus not as useful for those relying on the technology to avoid persecution, such as dissidents and journalists working in countries with oppressive regimes.