HackerOne, a platform that allows security researchers to inform companies and software developers about vulnerabilities and receive rewards for doing so, announced the inclusion of open source software in the scope of the Internet Bug Bounty project. Reward payments can now be made not only for identifying vulnerabilities in corporate systems and services, but for reporting problems in a wide range of open source projects developed by both teams and individual developers.
Among the first open source projects to start paying for vulnerabilities are Nginx, Ruby, RubyGems, Electron, OpenSSL, Node.js, Django, and Curl. In the future, the list will be expanded. For a critical vulnerability, a payment of $5000 is provided, a dangerous one is $2500, a medium one is $1500, and a non-dangerous one is $300. The reward for finding a vulnerability is distributed in proportion: 80% - to the researcher who reported the vulnerability, 20% - to the maintainer of the open source project who added the vulnerability fix.
The funds to finance the new program are accumulated in a separate pool. The main sponsors of the initiative were Facebook, GitHub, Elastic, Figma, TikTok and Shopify, and HackerOne users were given the opportunity to transfer from 1% to 10% of the allocated funds to the pool.
Source: opennet.ru