Thursday April 17 2014 • posted by RJ

Bug bounties for responsibly disclosed security issues

It’s been said that there are two ways of building software: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.

With complex software systems, there are always opportunities for bugs to creep in. This is especially true when web browsers are involved.

In addition to the work we already do to keep your IRCCloud data secure, we recently started paying bounties for bugs reported in accordance with our official Responsible Disclosure policy.

We’ve been using a platform called HackerOne to solicit for, triage, respond to, and reward security researchers for reporting bugs in our platform.

To date, we’ve paid out $5,000 split between 21 reports, with the following distribution:

Thanks to everyone who has taken the time to report their discoveries. We anticipate running this program indefinitely, and will continue to check for new reports daily.

We’re in good company

Several well known companies have a similar program for rewarding researchers who responsibly disclose security bugs:

Further Reading

You can read more about Responsible Disclosure on Wikipedia, or read about [Hacker Classifications on Wikipedia](http://en.wikipedia.org/wiki/Hacker_(computer_security%29#Classifications) to learn about different coloured hats.