Tor developers have acknowledged security vulnerabilities in the platform, but also started a major effort to fix them, by launching a program that will pay people who find bugs in the Tor code.
The new Tor initiative is a bug bounty program. That means programmers who review Tor code and find bugs will receive cash for their efforts. They don’t have to fix the flaws, just identify them. The program will be invite-only at first, but should later be opened up to the public, according to Tor developers.
Bug bounty programs are a security strategy that has become common in the software world in recent years. Major companies like Facebook have already used them to identify security vulnerabilities in their platforms.
The benefits of a bug bounty program for Tor are two-fold. First, it will give more programmers incentive to study the Tor code. More reviewers make it easier to find flaws since “given enough eyeballs, all bugs are shallow,” as the Linux crowd says.
Second and more importantly, perhaps, is that the bug bounty program means people who find bugs in Tor will be more likely to report them to the Tor programmers so they can be fixed — as opposed to selling the information to hackers or governments who are interested in finding ways to defeat Tor’s security and privacy features.
The effort is also notable because it signals Tor developers’ willingness to acknowledge that Tor is not perfect. If you use Tor, it’s important to keep in mind that there’s no complete guarantee of flawlessness. A security bug could still potentially allow you to be tracked.
At the same time, however, focusing on finding and fixing privacy holes in Tor is a sign that Tor developers continue to take privacy very seriously.
The announcement, first reported by Motherboard, came at the “State of the Onion” address, at which Tor developers offer updates on the platform. It followed Tor developers’s mention of a possible bug bounty program on their blog back in November 2015.
