The initiative, run by HackerOne, aims to uncover dangerous code repository bugs that end up going viral across the application supply-chain.
Tech giants want hackers to their money, in exchange for rooting out critical vulnerabilities lurking in the open-source code they use.
As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program (IBB) to lure threat hunters’ attention to open-source supply chains.
For perspective, recent research from Synopsys found the average application uses around 528 open-source components, and most of the high-risk vulns found last year had been around for more than two years — meaning they had plenty of time to proliferate. A 2020 review also found that 70 percent of mobile and desktop apps contain open-source bugs.
So far, the program has already made good progress. HackerOne initially launched the IBB back in 2013 and has since found 1,000 bugs and paid out $900,000 to around 300 hackers, the company said.
Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash to fund the IBB to incentivize bug hunters to take a closer look at open-source code.
“Recent cyberattacks against software supply chains demonstrate the urgency of securing these organizational blind spots. And open-source software represents a growing portion of the world’s critical supply-chain attack surfaces,” Alex Rice CTO and co-founder of HackerOne said in the announcement. “The new IBB empowers organizations that are beneficiaries of open source to play an active role in collectively building more secure digital infrastructure for everyone.”
Changes to Existing IBB Program
The new IBB will built on its previous work by allowing HackerOne customers pool between 1 percent and 10 percent of their bug-bounty dollars with others with similar risk.
HackerOne’s latest IBB program will also use volunteer “maintainers” who remediate the vulnerabilities and get 20 percent of the bounty, the company said. The remaining 80 percent gets paid out to the hackers that discover the bugs.
The company has also committed to improving the submission process for open-source threat hunters.
For IBB-sponsoring companies like TikTok, which have come under scrutiny by the security community in the past, this is an opportunity to demonstrate a commitment to boosting security even beyond its own business.
“TikTok is proud to support innovative initiatives like the HackerOne IBB pilot program to further strengthen not only TikTok’s security, but also to drive a safer internet for all by leveraging the efforts of the global security research community,” Roland Cloutier, TikTok chief security officer said.
Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.