HackerOne, a platform that is offering hosting for bug bounty programs, announced today that open-source projects can now sign up for a free bug bounty program if they meet a few simple conditions.
The new offering, named HackerOne Community Edition, is identical with HackerOne Professional Edition, the commercial service the company is offering to some of the world’s largest organizations, such as Twitter, Dropbox, Adobe, Yahoo, Uber, GitHub, Snapchat, and many others.
The only difference is that open source projects won’t be able to benefit from dedicated customer success support, which will remain a feature available only to paying customers.
It’s easy to apply
The conditions that an open source project has to meet before applying for a HackerOne Community Edition account include:
- Be active and at least 3 months old (age is defined by shipped releases/code contributions).
- Project must run using an OSI compatible license.
- Must be willing to add a SECURITY.md file to the project’s root (example).
- Display a link to its HackerOne profile from the project’s homepage, either from the primary or secondary navigation menu.
- Answer security tickets within one week (must maintain this responsiveness after account is approved).
As you can see, there’s no limit or criteria regarding the project’s popularity, meaning anyone can join, from jQuery plugins to complex CRMs and e-commerce platforms.
Many open source projects were already on HackerOne
HackerOne launched the program today. Some open source projects already joined HackerOne even before today’s announcement, such as Django, Discourse, Ruby, Ruby on Rails, Brave, GitLab, and Sentry.
“We know that open source underpins many products and services that we use every day so we want to ensure that open source projects can get as much support as possible in running simple, efficient, and productive security programs,” HackerOne said today in a statement.
Similarly to HackerOne, Google has been helping secure the open source community. Today, Google revealed details about an in-house program called Operation Rosehub, during which 50 Google engineers submitted patches to Java open source projects to fix a severe and widespread two-year-old vulnerability affecting thousands of applications.