Bug bounty startup HackerOne Inc. is giving back to the open-source community with a new program that provides its professional suite for free to qualifying projects.
Dubbed the HackerOne Community Program, the program is open to open-source projects that are licensed under an Open Source Initiative license and have been active for at least three months. In addition, the projects are required to add a “SECURITY.md” file to their project root to provide details on submitting vulnerabilities, advertise the bug bounty program on their website and commit to responding to new bug reports within a week.
Founded in 2012, HackerOne offers a cloud-based bug bounty platform knows as Security@ that provides access to a community of more than 100,000 vulnerability assessment professionals that organizations can ask to look for weaknesses in their technology infrastructure. It’s already being used by open-source projects such as Ruby, Rails, Discourse, Django, GitLab, Brave and Sentry.
The program will provide the same vulnerability submission coordination, de-duplication service, analytics and bounty programs for projects offered by the paid version. But it will not include customer support and will still see HackerOne charging its usual 20 percent payment processing fee on all cash bounties paid.
HackerOne Chief Executive Officer Marten Mickos claims that the program is the first of its kind. He said the company was aiming to ensure that open-source projects received as much support as possible when it comes to running simple, efficient and productive security programs.
“Our company, product, and approach is built-on, inspired by, and driven by open source and a culture of collaborative software development,” Mickos said in an announcement post.