Recently Twitter has stated on HackerOne that they will pay people a fee for finding vulnerabilities in there website, their app, or anything that could threaten Twitter. People have to register with HackerOne and submit their vulnerability so it can be reviewed to see if it will qualify as a legitimate threat. The minimum bounty is 140$, there is no maximum and bounties will be determined based on the significance of the vulnerability. To submit a vulnerability you must go through the HackerOne website and their process, from there Twitter will determine how to reward you.
Common vulnerabilities include:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Remote Code Execution (RCE)
- Unauthorized Access to Protected Tweets
- Unauthorized Access to DMs
Vulnerabilities not included:
- Issues related to software or protocols not under Twitter control
- Reports from automated tools or scans
- Reports of spam
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering of Twitter staff or contractors
- Any physical attempts against Twitter property or data centers
So far 71 people have submitted bugs and been rewarded.
This a good move by the company to help keep there business safe, people can do this legally and get paid for it, so it helps take away some of the motive for people doing it beforehand. It’s still in its beginning stage, so there’s no telling if this will turn out to be a good or a bad thing. We will have to sit back and watch.