back to article Invite-only bug bounty criticised for turning up the heat on Tor

Backers of a private bug bounty for Tor have defended the project in the face of criticism from a leading security researcher. The invite-only exploit bug bounty program for the Tor anonymization network is being organised through HackerOne. Tor has long been a target for foreign states and intel agencies. This has been well …

  1. Paul Smith

    Attention

    "Litchfield remains concerned that Tor just brought a whole lot of unnecessary attention to themselves"

    You don't think that perhaps Litchfield was just attempting to bring attention to himself?

    1. Ole Juul

      Re: Attention

      Who is this guy anyway? And why is he being quoted for this story?

      1. Surreal
        Holmes

        Re: Attention

        Are the information tubes on your Google Interwebz all clogged up? Your Wikipedia might help in that case. He's a bug hunter of renown; he wields a mighty flyswatter.

      2. mlitchfield

        Re: Attention

        Because I can :) I have been in the security industry now for 19 years. I have literally published / discovered hundreds of 0days. In 2003 I was voted Best Bug Hunter. I have successfully set up & ran two successful IT security Consultancy firms that were eventually acquired. I am now one of the most successful bug hunters, also I positioned in 1st Place on HackerOne - the host of TOR's bug bounty program. The real question is who are you that can't even perform a simple search on Google ???

    2. Adam 1

      Re: Attention

      Maybe he is sitting on some vulnerability that he wants to cash in before someone else claims his bounty?

      /tinfoil hat

      1. mlitchfield

        Re: Attention

        Zerodium offer $30,000 for a good exploit let alone what else I could get for it. Completely dumb statement !! I would have sold it the minute I found it, and the list of buyers would have been extensive.

    3. mlitchfield

      Re: Attention

      The answer is NO. My entire point is, if you are going to run a private bug bounty program, then keep it private. When you are ready to open it up to all researchers, THEN shout about it as much as you like. To announce publicly a program then limit your researcher pool is truly ridiculous especially when you have the likes of Zerodium offering $30,000 for a good attack.

  2. ratfox
    WTF?

    Let me get this straight

    “All they have done is turn up the heat for these black hats to get some bugs in Tor sooner rather than later. The shelf life of any bug they may have found or will find might become a lot shorter.”

    His argument is that, because maybe vulnerabilities are going to disappear soon, bug hunters have an incentive to find vulnerabilities now, before it's too late? So the diminishing value of the vulnerability increases the interest of hackers?

  3. Anonymous Coward
    Anonymous Coward

    Sour Grapes

    Sounds like this guy is just miffed because his invite was lost in the mail!

    1. Alistair
      Windows

      Re: Sour Grapes

      Call him a whaaaaaambulance.

      1. mlitchfield

        Re: Sour Grapes

        Thank you for your awesome contribution !!

    2. mlitchfield

      Re: Sour Grapes

      I really appreciate your concern. Being number one on HackerOne you would assume all people in the top 10 would get an invite. So far you are correct, I actually have not yet received an invite and if you ask the other 9, you will be surprised to hear the results. Even if I got an invite, there is a huge client list that would pay more money for an exploit on TOR than TOR would. So I would never submit an issue through their program.

  4. Youngdog

    Wait - what?

    The shelf life of any bug they may have found or will find might become a lot shorter

    Isn't that the whole point of a bug hunt? When did that become a bad thing?

    1. mlitchfield

      Re: Wait - what?

      Again someone missing the whole point of the article !! Absolutely, that is the point of a bug hunt. But, if you are going to make it a private invite only program why bother shouting about it. All you have done is (1) limit your researcher base by making it private (2) to make it private and limit your researcher base, you have just publicly announced to parties that are actively looking for bugs - agencies, foreign states what you are doing. So for them, they will shift focus from other projects to TOR. (3) What they should have done, was run their private bounty and kept it private. When they were ready to make their program open to all researchers, THEN make some public announcements. Huge mistake in my opinion.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like