It’s been said that there are two ways of building software: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.
With complex software systems, there are always opportunities for bugs to creep in. This is especially true when web browsers are involved.
We’ve been using a platform called HackerOne to solicit for, triage, respond to, and reward security researchers for reporting bugs in our platform.
To date, we’ve paid out $5,000 split between 21 reports, with the following distribution:
- $1,000 x 1
- $500 x 5
- $100 x 15
Thanks to everyone who has taken the time to report their discoveries. We anticipate running this program indefinitely, and will continue to check for new reports daily.
We’re in good company
Several well known companies have a similar program for rewarding researchers who responsibly disclose security bugs:
- GitHub’s Bounty Program
- Google’s Application Security Program
- Facebook’s Policy and Bounty Info
- Mozilla’s Bug Bounty Program
- Coinbase (who pay bounties in Bitcoin, of course)
You can read more about Responsible Disclosure on Wikipedia, or read about [Hacker Classifications on Wikipedia](http://en.wikipedia.org/wiki/Hacker_(computer_security%29#Classifications) to learn about different coloured hats.