14 DAY TRIAL // Another step has been taken by Twitter towards protecting the integrity of its services, as the company announced on Wednesday the launch of its bug bounty program, offering researchers the possibility of responsible-disclosure of vulnerabilities in its platform.
Managed through third-party broker HackerOne, the program offers a minimum reward of $140 / €108 for eligible vulnerabilities in the web-based service, as well as in mobile apps for iOS and Android; there is no maximum limit for the reward, and the amount depends on the severity of the reported issue.
Qualifying glitches include cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE), and unauthorized access to protected tweets and direct messages.
For a researcher to be eligible for a monetary reward, they have to be the first ones to report the qualifying security glitch and not disclose it publicly until it is fixed.
Other sites that are using HackerOne for running bug-bounty programs are 4Chan, Yahoo, CloudFlare, Square, Urban Dictionary, Sucuri, Mail.ru and OkCupid.
Nginx, OpenSSL, Perl, Ruby, Apache, PHP, Python bug bounties are also run through this platform, and are sponsored by Microsoft and Facebook.
A bug bounty program is a great method for companies to manage the disclosure process for vulnerabilities affecting its services and customers, but more importantly, it represents an investment for increased security of the products.
We're introducing a bug bounty program to thank researchers for responsibly-disclosed issues. Learn more: https://t.co/cXkWDsQuRe.
— Twitter Security (@twittersecurity) September 3, 2014