Bug Bounty, 2 years in

Friday, 27 May 2016

Security on a global platform like Twitter is a 24/7 job – we are constantly evolving to respond to new threats and attacks against our users and our systems. In order to stay ahead of the game we staff dedicated account-, network-, enterprise-, corporate-, and application-security teams, as well as an incident detection and response team. We also maintain a secure development lifecycle that includes secure development training to everyone that ships code, security review processes, hardened security libraries and robust testing through internal and external services – all to maximize the security we provide to our users.

On top of these measures we also engage the broader infosec community through our bug bounty program, allowing security researchers to responsibly disclose vulnerabilities to us so that we can respond and address these issues before they are exploited by others. We’ve been running our program on HackerOne since May 2014 and have found the program to be an invaluable resource for finding and fixing security vulnerabilities ranging from the mundane to severe.

In the two years since launch we’ve received 5,171 submissions to our program from 1,662 researchers.

  • 20% of our resolved bugs have been publically disclosed (we allow bugs to be publically disclosed after they’ve been fixed, at the request of the researcher)
  • We’ve paid out a total of $322,420 (USD) to researchers
  • Our average payout is $835
  • Our minimum payout is $140, and our highest payout to date was $12,040 (our payouts are always a multiple of 140)
  • In 2015 alone, a single researcher made over $54,000 for reporting vulnerabilities

At the time that we made our $12,040 payout we set a record on Hackerone:

 

We also offer a minimum of $15,000 for remote code execution vulnerabilities, but we have yet to receive such a report.

Since launching the program we’ve seen impressive growth in both the number of vulnerabilities reported and our payout amounts, reflecting our rising payout minimums and also the growing community of ethical hackers participating in the program:

Bug Bounty, 2 years in

Notable bugs

We’ve had many great bugs exposed through the program. For example:

  • XSS inside Crashlytics Android app: The Android Crashlytics application renders part of its content inside a webview, which did not have adequate protection against cross site scripting attacks. By creating an application with a malicious name like ‘”><img src=x>’ it was possible to trigger an XSS inside the application.
  • HTTP response splitting with header overflow: sending a long (just under 8192 bytes) payload to a number of endpoints would cause a failure to occur, and repeating the same request would return a valid page with attacker-controlled headers based on the payload sent. Read the full blog post from the reporter or the disclosed report on HackerOne.
  • IDOR allowing credit card deletion: a simple insecure direct object reference bug on the credit card deletion endpoint allowed an attacker to delete, but not view, credit cards not belonging to them. Additionally, the ids were auto-incrementing integers and there was no rate-limiting on the endpoint, so it was possible for someone to delete all credit cards on Twitter. This bug has also been publicly disclosed and is one of the many bugs covered in our Secure Coding class taught to all new hires during orientation.

We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities in Twitter, and we look forward to continuing our good faith relationship in 2016 and beyond. If you’re interested in helping keep Twitter safe & secure too then head on over to our bug bounty program, or apply to one of our open security positions!