Can free bug hunting services improve the security of the backbone of the web?
HackerOne has already made an impact by making bug bounty programs easier to launch and maintain, but the company wants to go further by offering paid services for free to the open-source community.
On Thursday, the bug bounty platform announced the formation of the HackerOne Community Edition, a program designed to give open-source projects the chance to take advantage of HackerOne Professional services without paying a cent.
In a blog post, HackerOne said the firm will give open-source projects assistance in setting up and maintaining vulnerability submission, coordination, dupe detection, analytics, and bounty programs to enhance the security of these often volunteer-based programs which so many other vendors and software developers rely on.
“Our company, product, and approach is built-on, inspired by, and driven by open source and a culture of collaborative software development,” the bug bounty platform says. “As such, we want to give something back.”
A number of open-source projects already utilize HackerOne, including Ruby, Rails, Discourse, Django, GitLab, Brave, and Sentry.
There is debate concerning whether open-source software is any more or less vulnerable than closed systems, but as many vendors — including Google, Apple, and Microsoft — know, the more eyeballs available to ferret out security flaws, the better.
“Our primary focus at HackerOne is to help make the Internet safer,” HackerOne says. “As part of this we know that open source underpins many products and services that we use every day, so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs.”
“As open source has become an increasing component in how organizations consume technology, the workflow of how people build these projects is critical,” says Jono Bacon, former director of community at Canonical, GitHub, and XPRIZE. “I am delighted to see HackerOne provide a key component in this workflow in much the same way code hosting/review, continuous integration, containerization and other pieces have become staple pieces.”
In order to participate in the new scheme, applying programs must be an open-source project covered by an OSI license, and the project must be at least three months old.
In addition, applicants must be willing to create a security policy which provides details on how researchers can submit bug reports, and they must also promise to respond to new vulnerability reports within seven days. The only small caveat is that HackerOne requires a link to your HackerOne profile on project websites.
Interested open-source projects can apply.