It is common for companies to have a bug bounty program which rewards researchers who find and disclose security issues. One popular platform for hosting bug bounty programs is hackerone.com.
Companies are however reluctant to include their open source code in these programs. At Square, we came up with a solution.
Why care about open source projects?
There are a few reasons why I wanted us to include our open source projects in our bounty program. Some of this code is used in our core infrastructure, we are therefore interested to know about any security issue which might affect our customers' security.
I also feel that most current bug bounty programs target web security researchers and exclude people who have other skills (such as backend or static analysis skills). Our open source projects provide a way for security engineers with strong abilities in C, Java, Go, etc. to make meaningful contributions.
Some concerns companies have with bounty programs.
It seems companies are concerned that being able to report bugs in publicly accessible source code will make them waste time and money. They are concerned that they will have to deal with reports about theoritical flaws which cannot be exploited in practice.
Being able to see the source code implies being able to see some of the design decisions the authors made. Design improvements are sometimes deemed not worth fixing if it implies a breaking API change.
To summarize, being able to see the source code can lead researchers to miss the overall picture, which is taken into account when a decision is made to fix or not to fix a given bug.
Square's bug bounty program.
The rules for the two bounty programs are quite different. For example, our open source bounty requires people to submit a proof-of-concept or demonstrate a clear path to exploitation.
You can read more about this effort in our blog post.