HackerOne, the vulnerability coordination and bug bounty platform, has launched a new Community Edition for open source projects. The company is built around the notion that, “given enough eyeballs, all vulnerabilities are shallow.” HackerOne announced a $40 million round of funding earlier this month, which allows the company to expand its market and add new features to the platform.
Open source projects are one area where HackerOne is expanding its reach. The company participates in the Internet Bug Bounty program, which helps secure core internet infrastructure and open source software, but HackerOne is now opening up its own platform.
“One of the goals I have had in my work with HackerOne is to build an even closer bridge between HackerOne and the open source community,” community strategy consultant Jono Bacon said. Bacon announced the availability of HackerOne’s new Community Edition, which has not yet been formally announced but is already open for applicants.
The Community Edition has all the same features as HackerOne’s Professional Edition, including vulnerability submission/coordination, duplicate detection, hacker reputation, analytics, and more. The only difference is that it doesn’t include paid customer support and program assistance. It also integrates with many popular issue tracking tools, such as JIRA, GitHub, Bugzilla, Zendesk, Track, and others.
Although the name “Community Edition” might suggest to some that it is self-hosted, HackerOne actually provides it as a SaaS offering with no setup or deployment required.
Open source projects are eligible if they meet a few requirements:
- Must be open source projects covered by an OSI license
- Be active and at least 3 months old (age is defined by shipped releases/code contributions)
- Include a SECURITY.md in the project root that provides details for how to submit vulnerabilities (example)
- Display a link to your HackerOne profile from either the primary or secondary navigation on the project’s website
- Maintain an initial response to new reports of less than a week
WordPress doesn’t have its own listing in the HackerOne directory but Automattic’s page says the company also welcomes reports for WordPress, BuddyPress, and bbPress. Automattic has had 446 bugs resolved through its program on HackerOne, which it has maintained for the past three years. A handful of other WordPress-related projects are also listed in the directory, including the WordPoints plugin, Ian Dunn’s projects, and Flox.
Having a crowd-sourced security program in place is becoming more critical, as breeches are costing companies billions of dollars every year. The World Economic Forum’s 2016 Global Risks Report estimated that “crimes in cyberspace cost the global economy an estimated $445 billion.”
Not all organizations listed on HackerOne offer bug bounties, but bounties are a proven method of attracting security talent. Since HackerOne launched, its customers have resolved more than 37,000 vulnerabilities and have paid out more than $13 million in bug bounties. By the end of 2016, HackerOne’s community of hackers had grown to nearly 100,000.
The new Community Edition gives smaller open source projects and organizations exposure to HackerOne’s network of thousands of security researchers and the tools for managing communication about vulnerabilities. Projects applying for the Community Edition must be non-commercial and able to run an effective security program. Applications are usually answered within one business week.