Security Experts:

HackerOne Offers Free Service to Open Source Projects

Bug bounty platform provider HackerOne announced on Thursday that open source projects can benefit from its Professional services at no cost if they can meet certain conditions.

HackerOne, which recently raised $40 million in a Series C financing round, already hosts bug bounty programs for 36 open source projects, including GitLab, Ruby, Rails, Phabricator, Sentry, Discourse, Brave and Django. To date, these projects have resolved more than 1,200 vulnerabilities.

The company hopes to have other open source projects sign up for its services now that it has launched its Community Edition program.

Through the new program, open source applications can use HackerOne’s Pro service for free. The service provides the mechanisms necessary for vulnerability submissions, coordination, analytics, detecting duplicates, and paying out bounties.

It’s worth pointing out that while open source projects can benefit from this offer at no cost, HackerOne will still charge the usual 20 percent payment processing fee in the case of programs that pay out cash bounties.

A project is eligible for the offer if it’s covered by an Open Source Initiative (OSI) license, and it has been active for at least 3 months. Accepted projects are required to add a “” file to their project root to provide details on submitting vulnerabilities, advertise the bug bounty program on their website, and commit to responding to new bug reports within a week.

“Our HackerOne program has been a definite success for us – a new way to get actionable security reports that improve the security of the open source Discourse project for everyone,” said Jeff Atwood, co-founder of Discourse. “A public bounty program is an essential element of the defense in depth philosophy that underpins all security efforts.”

HackerOne and Synack have been awarded a combined $7 million to help the U.S. Department of Justice and its components run bug bounty initiatives. One of these initiatives is Hack the Army, which received over 100 eligible vulnerability reports and paid out roughly $100,000 to participants.

Related: Qualcomm Bug Bounty Program Offers $15,000 Payouts

Related: Kaspersky in Search of Hackers for New Bug Bounty Program

Related: Researcher Gets $5,000 for Severe Vulnerability in HackerOne

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.