Attention
"Litchfield remains concerned that Tor just brought a whole lot of unnecessary attention to themselves"
You don't think that perhaps Litchfield was just attempting to bring attention to himself?
Backers of a private bug bounty for Tor have defended the project in the face of criticism from a leading security researcher. The invite-only exploit bug bounty program for the Tor anonymization network is being organised through HackerOne. Tor has long been a target for foreign states and intel agencies. This has been well …
Because I can :) I have been in the security industry now for 19 years. I have literally published / discovered hundreds of 0days. In 2003 I was voted Best Bug Hunter. I have successfully set up & ran two successful IT security Consultancy firms that were eventually acquired. I am now one of the most successful bug hunters, also I positioned in 1st Place on HackerOne - the host of TOR's bug bounty program. The real question is who are you that can't even perform a simple search on Google ???
The answer is NO. My entire point is, if you are going to run a private bug bounty program, then keep it private. When you are ready to open it up to all researchers, THEN shout about it as much as you like. To announce publicly a program then limit your researcher pool is truly ridiculous especially when you have the likes of Zerodium offering $30,000 for a good attack.
“All they have done is turn up the heat for these black hats to get some bugs in Tor sooner rather than later. The shelf life of any bug they may have found or will find might become a lot shorter.”
His argument is that, because maybe vulnerabilities are going to disappear soon, bug hunters have an incentive to find vulnerabilities now, before it's too late? So the diminishing value of the vulnerability increases the interest of hackers?
I really appreciate your concern. Being number one on HackerOne you would assume all people in the top 10 would get an invite. So far you are correct, I actually have not yet received an invite and if you ask the other 9, you will be surprised to hear the results. Even if I got an invite, there is a huge client list that would pay more money for an exploit on TOR than TOR would. So I would never submit an issue through their program.
Again someone missing the whole point of the article !! Absolutely, that is the point of a bug hunt. But, if you are going to make it a private invite only program why bother shouting about it. All you have done is (1) limit your researcher base by making it private (2) to make it private and limit your researcher base, you have just publicly announced to parties that are actively looking for bugs - agencies, foreign states what you are doing. So for them, they will shift focus from other projects to TOR. (3) What they should have done, was run their private bounty and kept it private. When they were ready to make their program open to all researchers, THEN make some public announcements. Huge mistake in my opinion.