HackerOne platform, which gives the opportunity to researchers to inform companies and software developers about identifying vulnerabilities and receive remuneration for it, reported About the inclusion of open software in the project area Internet Bug Bounty . Payments for remuneration can now be committed not only for identifying vulnerabilities in corporate systems and services, but for informing about problems in a wide range of open projects developed by both teams and separate developers.
in Number first open projects, for which the provision of payments for found vulnerabilities, included NGINX, Ruby, Rubygems, Electron , OpenSSL, Node.js, Django and Curl. In the future, the list will be expanded. For a critical vulnerability, $ 5,000 payments is provided, a dangerous – $ 2500, an average – $ 1500, non-hazardous – $ 300. The premium for the found vulnerability is distributed in the proportion: 80% is a researcher who informed the vulnerability, 20% accompanying an open project, adding a vulnerability correction.
Funds to finance a new program are accumulated in a separate bullet. The main sponsors of the initiative were the company Facebook, GitHub, Elastic, Figma, Tiktok and Shopify, and Hackerone users are given the opportunity to transfer to the pool from 1% to 10% of the funds allocated.