Twitter paid security researchers $322,420 to find security vulnerabilities
Micro-blogging website Twitter celebrated its bug bounty “HackerOne” program’s second birthday last week. Under this program, Twitter rewards researchers and bug hunters who disclose vulnerabilities in its website.
“We maintain a secure development lifecycle that includes secure development training to everyone that ships code, security review processes, hardened security libraries and robust testing through internal and external services – all to maximise the security we provide to our users,” Arkadiy Tetelman, software engineer at Twitter, said in a blog post on Friday.
One of the important measures that the company takes is by engaging the broader information security community through their bug bounty program, allowing security researchers to dutifully reveal vulnerabilities to the company so that they can reply and address these issues before they are exploited by others.
In order to provide an insight into how much effort needs to be put into such an endeavour, the company’s security team said that in the last two years, it received 5,171 submissions from 1,662 security researchers and has paid a total of $322,420 to security researchers, according to the program data.
From the total payout amount, the average amount paid was $835 and the highest was $12,040. To honor its history, Twitter pays in multiples of 140, with a minimum payment of $140. However, there is no maximum amount limit. Notably, last year, a single researcher received more than $54,000 in rewards for reporting vulnerabilities.
“We also offer a minimum of $15,000 for remote code execution vulnerabilities, but we have yet to receive such a report,” Tetelman added.
Since May 2014, Twitter has been running the program on HackerOne. The company looks for any possible vulnerabilities related to remote code execution, authentication issues, cross site scripting, cross site request forgery, and more. Also, the company looks at it as an essential and invaluable resource that helps it in seeking out and addressing all kinds of security flaws that can range from severe to the ordinary.
“We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities in Twitter, and we look forward to continuing our good faith relationship in 2016 and beyond,” concludes the company.
For those who want to turn their bug bounty hunting skills into a profession, Twitter also notes that it’s hiring on its security team.
“If you are interested in helping keep Twitter safe and secure too then head on over to our bug bounty program, or apply to one of our open security positions!” Tetelman added.