OSTIF is Partnering with the Internet Bug Bounty and HackerOne for Bug Bounties!
The Open Source Technology Improvement Fund will be partnering with the Internet Bug Bounty and HackerOne in a partnership that will get our supported projects listed on HackerOne with no overhead costs!
HackerOne is the de-facto site for bug hunters around the world, with a community of thousands of skilled researchers at their disposal. This partnership brings an army of application security engineers and cryptographers to review our projects and submit bugs and receive bounties in an organized and effective way.
Our initial supported projects will be the VeraCrypt project, the OpenVPN project, and the OpenSSL project will be added after the results of our OpenSSL 1.1.1 audit are publicly available.
The bounties will initially match our own bug-bounty program, with up to $2500 for locating a bug (based on severity) and up to a $2500 bonus for submitting a fix to the project that prevents the problem from resurfacing through regression or new code introduced to the project. The fixes can include providing the tools to locate the bug (must be FOSS), providing a security patch, or improving security practices at the project. The fix must be accepted and integrated into the project to qualify. If a fix is provided and it is of low code quality, does not provide documentation or introduces other problems, the bonus may not qualify.
We are excited with this new partnership and it represents months of back-and-forth negotiations to get the terms of this deal to be ironed out.
I want to extend a special thank you to our primary sponsors that provided the bulk of the funding for this project that allowed it to happen. Thank you to Private Internet Access, Duck Duck Go, OpenVPN Technologies, iPredator and ExpressVPN for sponsoring our critical work to make the internet safer for all of us!