We'll Pay You to #HackTor

There are bugs among us

Millions of people around the world depend on Tor to browse the internet privately and securely every day, so our security is critical. Bugs in our code pose one of the biggest threats to our users’ safety; they allow skilled attackers to bypass Tor’s protections and compromise the safety of Tor users.

We’re constantly looking for flaws in our software and been fortunate to have a large community of hackers who help us identify and fix serious issues early on, but we think we can do even more to protect our users. That’s why if you can #HackTor and find bugs in our software, we want reward you.

Join our first public bug bounty

With support from the Open Technology Fund, we’re launching our first public bug bounty with HackerOne. We’re specifically looking for your help to find bugs in Tor (the network daemon) and Tor Browser. A few of the vulnerabilities we’re looking for include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of crypto material of relays or clients, and remote code execution. In January 2016, we launched a private bug bounty; hackers helped us catch 3 crash/DoS bugs (2 OOB-read bugs + 1 infinite loop bug) and 4 edge-case memory corruption bugs.

Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks. We’ll award up to $4,000 per bug report, depending on the impact and severity of what you find.

Here's how to get started

Sign up for an account at HackerOne. Visit https://hackerone.com/torproject for the complete guidelines, details, terms, and conditions of our bug bounty. Then, start finding and reporting bugs to help keep Tor and Tor Browser safe.

Happy bug hunting!


August 02, 2017


Why not full disclosure? You can say "not to harm the users", but I say that NSA already knows everything researchers can find. How can we be sure that tor project is honest and is not exploiting the delay you have paid for? I insist on full disclosure.

It's hard to argue about the capabilities of the NSA. But for the sake of argument let's assume you are right about that. There are still lots of scenarios where other folks could be harmed (e.g. syrian dissidents) if we would not disclose vulnerabilities in a responsible way just because the are targeted by less powerful actors.

Could you rephrase the "exploiting the delay you have paid for"? You mean we'd just pay researchers to keep quiet while not fixing critical bugs as fast as possible? If so, then the same logic as above applies to that case: the longer we keep this critical bug unfixed the more likely it is that others will discover the bug, too, and start to exploit it. Thus, we have to much quickly to avoid that.

They absolutely do not know every bug which researchers can find. They are humans, too, after all. There was actually a paper about this, about the amount of "0day collisions" (0days kept private, but found independently by multiple parties). It wasn't specific to Tor, but it does present the case that most high-profile exploitable software will not necessarily have a large amount of independently-discovered 0days.

Now, the argument of full-disclosure on its own still has merit. For example, I make use of full-disclosure to patch my systems or otherwise mitigate the problem as soon as it comes out, and long before an official fix is released. This has nothing to do with the belief that "the NSA already has all those bugs".

You are free to report bugs you find to the full-disclosure mailing list instead of this bug bounty program.


September 22, 2017


Hey, nice page...

I've got one question. Is it normal that everytime when I start Orfox on my phone I have to reconfigure NoScript?

Because of after every restart all webpages are whitelisted and when I go into the NoScript Configuration I see nothing, only Disable or Uninstall. When I press the Disable-button and enable it again then I can configure it and I can use the classic blacklist config.

Please try to fix it.