Report Bugs, Get $$ Like @atechdad
This week, the Tor Project -- with support from the Open Technology Fund and HackerOne -- paid out $3,000 (the highest bounty) to a developer who reported a potential proxy bypass bug. An attacker could use the bug, which affected some Linux machines, to bypass Tor’s anonymity protections.
The day after Julian Jackson (@atechdad) reported the bug through HackerOne, we released Tor Browser 7.0.3. We saw no indication that it was used in the wild, and the bug didn't affect users of Tails, Whonix, or our sandboxed Tor Browser.
We appreciate everyone who takes the time to reports bugs to us. People responsibly disclosing bugs directly to us is how we keep Tor secure. Our thanks to everyone who’s been involved -- since launching our bug bounty program, we’ve paid out almost $7,000! If you'd like to be involved, head over to our HackerOne page to get started.
No problem at all! That's how we want people to disclose them.