Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

HackerOne Offers Free Service to Open Source Projects

Bug bounty platform provider HackerOne announced on Thursday that open source projects can benefit from its Professional services at no cost if they can meet certain conditions.

Bug bounty platform provider HackerOne announced on Thursday that open source projects can benefit from its Professional services at no cost if they can meet certain conditions.

HackerOne, which recently raised $40 million in a Series C financing round, already hosts bug bounty programs for 36 open source projects, including GitLab, Ruby, Rails, Phabricator, Sentry, Discourse, Brave and Django. To date, these projects have resolved more than 1,200 vulnerabilities.

The company hopes to have other open source projects sign up for its services now that it has launched its Community Edition program.

Through the new program, open source applications can use HackerOne’s Pro service for free. The service provides the mechanisms necessary for vulnerability submissions, coordination, analytics, detecting duplicates, and paying out bounties.

It’s worth pointing out that while open source projects can benefit from this offer at no cost, HackerOne will still charge the usual 20 percent payment processing fee in the case of programs that pay out cash bounties.

A project is eligible for the offer if it’s covered by an Open Source Initiative (OSI) license, and it has been active for at least 3 months. Accepted projects are required to add a “” file to their project root to provide details on submitting vulnerabilities, advertise the bug bounty program on their website, and commit to responding to new bug reports within a week.

“Our HackerOne program has been a definite success for us – a new way to get actionable security reports that improve the security of the open source Discourse project for everyone,” said Jeff Atwood, co-founder of Discourse. “A public bounty program is an essential element of the defense in depth philosophy that underpins all security efforts.”

HackerOne and Synack have been awarded a combined $7 million to help the U.S. Department of Justice and its components run bug bounty initiatives. One of these initiatives is Hack the Army, which received over 100 eligible vulnerability reports and paid out roughly $100,000 to participants.

Related: Qualcomm Bug Bounty Program Offers $15,000 Payouts

Related: Kaspersky in Search of Hackers for New Bug Bounty Program

Related: Researcher Gets $5,000 for Severe Vulnerability in HackerOne

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.