Morioh
Login
Brain Crist

Brain Crist

3 years ago

TikTok has expanded its vulnerability disclosure policy to include a global bug-bounty program through a partnership with the ethical hacker platform HackerOne. The bug-bounty program launch signals a new direction for the Chinese-owned video-sharing app, which has been much maligned for its questionable security practices.

Hackers who find critical vulnerabilities in TikTok’s platform can receive between $6,900 to $14,800 according to the program, which marks the first time TikTok has invited the public security community to analyze its platform for vulnerabilities.

“This partnership will help us to gain insight from the world’s top security researchers, academic scholars and independent experts to better uncover potential threats and make TikTok’s security defenses even stronger,” Luna Wu from TikTok’s global security team said in a Thursday blog post unveiling the partnership.

The program invites ethical hackers to submit a wide range of vulnerabilities in the app, including those related to: XSS, CSRF, SSRF, SQL Injection, ROP or JOP; reproducible crashes with stack traces; leaked or hard coded sensitive credentials; exploitable, dangerous APIs; control flow hijacking attacks; user data leaks; authentication or authorization vulnerabilities; or access to internal TikTok resources.

A full list of vulnerabilities that are covered under the program is available on the TikTok landing page. To submit bugs to be evaluated under the program, researchers can use an online form, Wu said.

The program’s rewards are based on severity per the the Common Vulnerability Scoring Standard (CVSS), which is used universally to rate the risk of security vulnerabilities. In addition to the highest bounties for bugs that earn critical ratings, hackers can earn between $1,700 to $6,900 for vulnerabilities rated “high”; $200 to $1,700 for bugs rated “medium;” and $50 to $200 for bugs rated with a “low” risk.

TikTok, owned by Chinese-based ByteDance, has been banned in some countries and was on its way to the same fate in the United States mainly due to its security practices related to ByteDance’s alleged cozy relationship with the Chinese Communist government, which experts believe put the data of its 100 million U.S. users at risk. The app has used various tactics to collect data from both Android and iPhone devices without users knowing, among other shady practices.

#vulnerabilities #web security #android #apple #bug bounty #critical flaws #developers #ethical hackers #hackerone #hackers #oracle #security #tiktok #vulnerabilities #wal-mart

TikTok Launches Bug Bounty Program Amid Security SNAFUs

threatpost.com

TikTok Launches Bug Bounty Program Amid Security SNAFUs

The move is a distinct change in direction for the app, which has been criticized and even banned for its security practices. To submit bugs to be evaluated under the program, researchers can use an online form, Wu said.

1.30 GEEK