In late April, Chris Poole, aka moot, the founder of 4chan, announced that the image-based bulletin board had suffered a data breach. To prevent future incidents, the company has not only implemented additional security measures, but it has also launched a bug bounty program.
“We hope that by providing an officially sanctioned way for security researchers to submit security-related bugs, we’ll be in a better position to detect and respond to vulnerabilities that may impact the site and its users,” Poole explained in a blog post.
“Security remains an ongoing priority and commitment of ours. Thanks again for bearing with us, and sorry to anyone we’ve let down.”
The websites included in the bug bounty program are 4chan.org, 4channel.org, 4cdn.org and their subdomains.
The company highlights a few important aspects for those who want to report security holes. First of all, the scope of the program is limited to software and hardware vulnerabilities, not employees, volunteers or customers that might represent a security risk.
Vulnerabilities that can be used to send spam or launch DOS attacks, and knowingly posting, transmitting or linking to malware are also excluded from the program.
Secondly, vulnerabilities identified with the aid of automated scanning tools are not taken into consideration unless the expert who finds them can come up with a working proof-of-concept or a good reason why the issue could be exploited.
“Many issues reported by these tools are low-hanging fruit and do not have a clear security impact for 4chan,” 4chan noted on its HackerOne page.
Those who identify vulnerabilities in third-party services (CloudFlare or nginx) should report them to the vendor, and not 4chan. However, the company is prepared to credit those who find such flaws in its Hall of Fame.
For the time being, 4chan isn’t offering any cash rewards. Those who responsibly disclose security holes will get recognition in the company’s Hall of Fame, and either a 4chan Pass valid for one year (worth $20 / €15) or $20 / €15 in self-serve advertising credit, also valid for one year.
Reporters must be at least 18 years old to be eligible for rewards. All reports will be assessed by 4chan’s developer team to determine if they’re eligible.
Security experts who might have any questions regarding the new 4chan bug bounty program can send an email to firstname.lastname@example.org.