HackerOne, the platform for vulnerability coordination and bug bounty, has decided to offer its professional bug bounty service for free to open source projects. The company has developed a special HackerOne Community Edition which is inspired by the culture of collaboration and open source development.
“Our company, product and approach is built-on, inspired by and driven by open source and a culture of collaborative software development. As such, we want to give something back,” HackerOne writes in a blog post.
San Francisco, California-based HackerOne helps security researchers and companies to interact with each other, triage reports and reward for bug bounties. Though it was previously available as a paid service, the latest development has provided free access to open source projects to host bug bounty programmes and improve the existing code.
The HackerOne Community Edition includes vulnerability submission, coronation, analytics, duplicate detection and bounty program management. However, it excludes the dedicated customer support which is a part of the professional bug bounty model.
Certain conditions are required to be fulfilled to qualify for the latest development. Firstly, the open source project participating for a bug bounty needs be covered by an OSI license. Secondly, it must be live from at least the last three months and include an SECURITY.md in the root to provide details for submitting vulnerabilities.
You also need to display a link to your HackerOne profile from the primary or secondary navigation of your project’s website. Besides, you need to maintain an initial response to new reports of less than a week.
Reward programme for reporting vulnerabilities
In addition to the latest development, HackerOne has a reward program for vulnerabilities reported in open source software packages like Apache, Perl, PHP, Python, Nginx or OpenSSL.
HackerOne already has nearly 36 open source projects. Projects based on Discourse, Ruby on Rails, Brave, GitLab, Django and Sentry have fixed more than 1,200 vulnerabilities using the bug bounty platform. Furthermore, some of the projects on the HackerOne board are sponsored by Microsoft and Facebook.