Supporting the Source: Why HackerOne is Upgrading its Free Tools for Open Source
Protecting open source is our social responsibility and essential to internet well being. We believe this is important and essential.
Open source software powers HackerOne. It powers our software, our infrastructure, and our model for engaging with our community. As part of our mission to make the internet safer, we want to make it easier for your open source project to remain secure. And we know we’re not alone--it depends on who you ask, but almost 80% of organizations rely on open source, too, and we only expect that number to grow.
For almost 3 years, we’ve given the open source community our tools for free. Today, we’re happy to announce that we are upgrading our Community Edition — a free version of our popular HackerOne Bounty program for open source projects — so the industry has access to the best in class features in bug bounty. At the same time, we’re joining GitHub Security Lab (GHSL) to have a deep and meaningful impact on the state of open source security and bring HackerOne to open source hackers through the GHSL Bug Bounty program.
Joining GitHub Security Lab
Announced at GitHub Universe this Thursday, the GHSL will be the home of Security Research at GitHub. Its mission is to hunt for vulnerabilities in Open Source projects, build tooling that will facilitate securing codebases at scale, and partner with other security teams across the industry to build bridges between the security research community and the wider software development community.
“Our goal is to make cutting edge security research from across our industry practically digestible in your day to day development practices and to shift Open Source security away from single instance vulnerability whack-a-mole towards scalable integrated vulnerability variant analysis,” said Nico Waisman, Principal Security Engineer at GitHub in his keynote announcement on Thursday.
As a partner of GHSL, we seek to help GitHub reward and motivate the talented individuals in open source by empowering them to build at the speed of innovation, securely.
For Open Source Projects: More From Community Edition
Our mission at HackerOne is to empower the world to build a safer internet. As part of this, we know that open source underpins many products and services that we use every day so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs.
Previously, HackerOne Community Edition gave open source projects access to the most trusted hacker-powered security platform free of charge. With HackerOne, contributors, users, and hackers have a safe place to submit vulnerability reports, making it easier to keep projects secure.
Today, we are delighted to announce that we’re upgrading the features of our Community Edition to bring open source the best in class features that we offer.
In addition to vulnerability submission, coordination, dupe detection, analytics, and bounty programs, we’re sweetening the deal with new features like tagging reports with custom data such as root cause analysis, parent child team management, and soon we’ll be delivering increased benchmarking analytics to open source projects and across the platform. This will further simplify how you define scope, receive vulnerability reports, manage those reports, and incentivize security researchers to help harden your project… and it’s free!
Open source projects such as Python, Node.js, OpenSSL, Ruby, Rails, Phabricator, Django, and more are already using HackerOne. And, thanks to sponsorship through Internet Bug Bounty from Ford Foundation, Microsoft, Facebook, and GitHub, we’re able to better incentivize open source hackers with competitive bounties.
As part of this, today, we’re also going to be eliminating the majority of our bounty fees to free up more of your budget to incentivize open source security research.
Is My Project Eligible?
All open source projects are welcome to apply if they meet the following requirements:
- Open Source projects - your project scope must only be Open Source projects that are covered by an OSI license.
- Be ready - your project must be active and at least 3 months old (age is defined by shipped releases/code contributions).
- Create a policy - you will add a SECURITY.md in your project root that provides details for how to submit vulnerabilities (example).
- Advertise your program - you will display a link to your HackerOne profile from either the primary or secondary navigation on your project's website.
- Be active - you will maintain an initial response to new reports of less than a week.
If you believe your project fulfills these requirements, you can learn more about this offering and then submit an application.
For Hackers: Bounties from the Source
From nearly eight years of bug bounties, over 1,600 customer programs, over 140,000 vulnerabilities, $74 million in bounties paid, and over half a million hackers, we’ve learned a few things. A few that impact open source:
- Transparency is key. The more open a program is, meaning that it discloses vulnerabilities AND invites more people to hack, the better results it gets.
- It helps, a lot, to get paid. When programs start paying bounties or increasing them, they ultimately get more secure code. That’s why facilitating payments will have such a deep impact on open source security.
With that, comes GHSL Bounty.
GitHub and HackerOne are teaming up to reward your eyeballs for looking at open source code. There are two main bounties awarded quarterly to reward vulnerability research on open source projects:
- The Bug Slayer: This bounty rewards hackers who create variant queries that have found multiple real world vulnerabilities with associated CVE numbers.
- The All for One, One for All: This bounty rewards those who create queries that are of such high quality and usability that they are mainlined into our shipped toolchains, thus directly benefiting the entire Open Source community
To get started, visit: https://hackerone.com/github-security-lab
Together we hit harder.
The 8th Annual Hacker-Powered Security Report