14 DAY TRIAL // Members of the Tor Project have announced the creation of a bug bounty program at the 32nd Chaos Communication Congress (32C3), currently underway in Hamburg, Germany. The bug bounty program will be hosted via the HackerOne platform.
Rumors of a TOR bug bounty program surfaced online around mid-November, but have never been confirmed by sources inside the Tor Project.
Curiously, the rumors started appearing just two days after the Tor Project had made public allegations against the Carnegie Mellon University (CMU) for carrying out "research on command" for the FBI, research for which the Bureau paid the CMU around $1 million (€0.9 million).
The Tor Project has never provided any proof for their allegations, and the Carnegie Mellon University did later deny any involvement in paid-for research for the FBI.
Aside from this, the project's maintainers also started seeking a more government-independent financing model, having launched a donations program just a few weeks back.
With the new bug bounty program, Tor's administrators will try to have talented infosec researchers test their software in a controlled manner, and reward the discovery of potentially dangerous bugs long before the FBI ever has a chance of getting their hands on useful zero-day flaws that might de-anonymize Tor traffic.
Currently, all the big Internet and software companies run bug bounty programs, in one format or another, and the HackerOne platform is starting to become the main service to which companies appeal when in need of a trusted third-party host and arbitrator. Below is the video of the announcement.
.@torproject just announced a bug bounty program in conjunction with @Hacker0x01! Great news from #32c3. cc @k8em0
— Nate Cardozo (@ncardozo) December 29, 2015
