Twitter adds unlimited payouts to its bug bounty program

Twitter adds unlimited payouts to its bug-bounty program

Image of bug and cash courtesy of ShutterstockTwitter’s bug bounty program is now offering a minimum of $140 (£85) for reported bugs.

OK, so it amounts to more or less emptying out the change from its big old corporate back pocket.

But there’s more: there’s no maximum payout, meaning the sky’s the limit!

The social media buzz bucket announced on Wednesday that cash will be added to the profound gratitude it’s doled out since the bug-reporting program started in June.

Twitter’s partnered with third-party bug bounty program HackerOne to launch the rewards program, which offers from $140 for each bug that’s disclosed responsibly.

Reward amounts may vary depending on the severity of the vulnerability reported, Twitter says.

Twitter’s already thanked 44 hackers for telling it about a list of bugs that it didn’t go into detail about.

Since they were reported before the cash part of this was announced, the finders won’t be receiving any money.

But as I was writing this up, the first bug to be found since the bounty was announced appeared, meaning that Sergey Markov (sergeym) will be the first to have received a Twitter bug bounty.

I dropped Twitter a note to find out how much he’s getting and will update the story if I hear back.

Twitter lauded the “vibrant” bunch whose thrumming has thus far turned up vulnerabilities:

We're lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize their efforts and the important role they play in keeping Twitter safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities.

Twitter says that any design or implementation issue that’s reproducible and which “substantially affects the security of Twitter users” is likely to fit the scope of the program.

A list of usual suspects includes:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorized Access to Protected Tweets
  • Unauthorized Access to DMs

Start bug hunting, bug aficionados!

Image of dead bug and cash courtesy of Shutterstock.