Skip to content
Naked Security Naked Security

Tor Project to launch first bug bounty program

It's by invitation only. Let's hope they open it up to all soon, given the many parties who'd love to get their hands on a Tor zero-day.

Found a bit of rot in one of the anonymizing layers of the Tor service?

It well might be worth something – something monetary, that is, beyond just good karma with the pro-privacy population.

The Tor Project on Monday announced that as of the New Year, it will be paying bug bounties.

The bounty program was announced at the State of the Onion address at the annual Chaos Communication Congress art, politics and security conference in Germany, according to Motherboard.

The reference to onion, of course, is that Tor is short for “The Onion Router,” because it shuffles traffic around randomly inside its network, wrapping each step in its own layer of encryption, in the way that an onion is made up of concentric layers.

Nick Mathewson, co-founder, researcher, and chief architect of the Tor Project, told the publication that when it comes to scouring code, it’s time to get more people on board:

We are grateful to the people who have looked over our code over the years, but the only way to continue to improve is to get more people involved.

The nonprofit Tor Project, founded by Roger Dingledine and Matthewson in 2006, develops and maintains free software and tools that support anonymous communications on the Dark Web.

Tor’s multiple layers of encryption shield the path your traffic takes, thus shielding your location and your connection to any hidden services you use.

But Tor’s own analysis has found that hidden services actually make up only a fraction of its traffic: about 3.4% of client traffic is hidden-service traffic, and 6.1% of traffic seen at a relay is hidden-service traffic.

In other words, it’s used for far more than buying drugs or dealing in child abuse images.

Tor’s normal, non-criminal users include journalists, law enforcement, activists, whistleblowers (Edward Snowden’s a user), those who don’t want to be surveilled, and people trying to protect their kids’ personally identifying information (PII), among others.

Details about the bug bounty program are limited, but we do know this: it’s going to be invitation-only, at least at first, and it will cover vulnerabilities specific to Tor applications.

Dingledine said that the Tor Project is working with a sponsoring organization, the Open Technology Fund (OTF).

The OTF is paying HackerOne, a platform for connecting researchers who discover vulnerabilities and the companies affected by them, to help it run the bounty program.

Tor already has a price on its head, of course. Or, rather, make that a few prices.

A new security company known as Zerodium, the company that made a splash in September by waving around $1 million for an iOS 9 bug, has offered $30,000 for an exploit affecting the Tor browser, according to Wired.

Russia, for its part, has offered a bounty of 3.9m rubles (about £65,000, or $55,000) to anyone who can peel the onion.

In the US, the Tor Project has accused the FBI of paying Carnegie Mellon $1 million to get its hands on technology that allowed it to pierce Tor’s layers, though the university has denied it.

Clearly, there’s money to be made by those who find a bug in Tor.

The Tor Project is understandably starting its bug program off gradually, opting for a model in which it hand-picks the bug finders it wants to start looking first.

But with all the interested parties out there who are keen to learn about a zero-day Tor bug before their surveillance targets do, and who are quite willing to pay for that early access, let’s hope the Tor people shift out of that slow start soon.

The faster the better, for the sake of all who rely on Tor.


When you help TOR you are helping yourself from being personally exploited on the internet. You also want to help innocent people from getting exploited. EFF helps TOR to be secure and safe and so you should too. We will always be exploited and our privacy and or free speech could be intercepted and used against us on the internet but we want to minimize the risks as much as we can by fighting those exploits.


Can i ask how stupid it is to let an american cloud jira application host the zero-day bugs of the tor privacy software? This is like an invite for the agencies to capture the data ahead. I do not think we should outsource a german project like this to a us company that is doing fraud things with a commercial bug bounty model.


I get your general point…but if you are going to accuse a company of fraud (which is a criminal offence), you really ought to present some evidence. (Or take up your complaint with the Tor project.)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!