TikTok, GitHub, Facebook Join Open-Source Bug Bounty

[silversurfer]

Tech giants want hackers to their money, in exchange for rooting out critical vulnerabilities lurking in the open-source code they use.
 
As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program (IBB) to lure threat hunters’ attention to open-source supply chains.
 
For perspective, recent research from Synopsys found the average application uses around 528 open-source components, and most of the high-risk vulns found last year had been around for more than two years — meaning they had plenty of time to proliferate. A 2020 review also found that 70 percent of mobile and desktop apps contain open-source bugs.
 
So far, the program has already made good progress. HackerOne initially launched the IBB back in 2013 and has since found 1,000 bugs and paid out $900,000 to around 300 hackers, the company said.
 
Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash to fund the IBB to incentivize bug hunters to take a closer look at open-source code.
 
“Recent cyberattacks against software supply chains demonstrate the urgency of securing these organizational blind spots. And open-source software represents a growing portion of the world’s critical supply-chain attack surfaces,” Alex Rice CTO and co-founder of HackerOne said in the announcement. “The new IBB empowers organizations that are beneficiaries of open source to play an active role in collectively building more secure digital infrastructure for everyone.”

Read more: TikTok, GitHub, Facebook Join Open-Source Bug Bounty | Threatpost