The Tor Project, the gatekeepers of the dark web, is literally asking to be hacked. This week (20 July), the group launched its first public-facing bug bounty programme designed to allow white-hat researchers to report bugs and vulnerabilities in exchange for cold hard cash.
Tor, also known as The Onion Router, helps users stay anonymous by masking their true location and is often used by journalists and dissidents to circumvent internet censorship regimes in repressive countries. Unfortunately, it is also a tool used by criminal hackers and drug peddlers.
The bug bounty's ultimate aim, the group said in a blog post, is to find security flaws in two core products: the Tor Network and the Tor Browser.
Vulnerabilities come in different tiers and researchers can earn up to $4,000 for locating and disclosing the most severe security issues via the HackerOne platform.
Unsurprisingly for a service centred on privacy the most sought-after bugs are those that result in users becoming compromised or de-anonymised.
The Tor Project has had a private bug bounty programme ongoing since January 2016, which has reportedly helped catch a variety of denial-of-service (DoS) bugs. Now it's open to all.
"I think a lot is potentially at stake with our program," said Georg Koppen, leader of the Tor browser team. "Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online.
"We're already open with our code, but the bug bounty program will help more people join us in keeping Tor safe by providing financial compensation for bugs on an open platform." The bounty was made possible with support from the Open Technology Fund, the group said.
"Security is important for Tor because exploiting security holes in our software can easily lead to breaks in privacy and anonymity for our users," Koppen continued.
"If our software contains serious coding flaws, the protections Tor offers can get bypassed by skilled attackers and compromise our users. If we're not secure, we're not delivering on our promise to users. We need to constantly address issues before they can potentially become a threat."
You can check out the HackerOne page for full information about the programme. To date, the Tor Project has paid out a total of $2,900 to helpful hackers. Its average payment levels out at $200-$300 and, at the time of writing, its top individual payout has been $500.