Security on a global platform like Twitter is a 24/7 job – we are constantly evolving to respond to new threats and attacks against our users and our systems. In order to stay ahead of the game we staff dedicated account-, network-, enterprise-, corporate-, and application-security teams, as well as an incident detection and response team. We also maintain a secure development lifecycle that includes secure development training to everyone that ships code, security review processes, hardened security libraries and robust testing through internal and external services – all to maximize the security we provide to our users.
On top of these measures we also engage the broader infosec community through our bug bounty program, allowing security researchers to responsibly disclose vulnerabilities to us so that we can respond and address these issues before they are exploited by others. We’ve been running our program on HackerOne since May 2014 and have found the program to be an invaluable resource for finding and fixing security vulnerabilities ranging from the mundane to severe.
In the two years since launch we’ve received 5,171 submissions to our program from 1,662 researchers.
At the time that we made our $12,040 payout we set a record on Hackerone:
Congrats @filedescriptor for record $12k award from @twittersecurity, and thanks for making the Internet safer! pic.twitter.com/z6RLUBOIlr— HackerOne ( @Hacker0x01) December 22, 2015
We also offer a minimum of $15,000 for remote code execution vulnerabilities, but we have yet to receive such a report.
Since launching the program we’ve seen impressive growth in both the number of vulnerabilities reported and our payout amounts, reflecting our rising payout minimums and also the growing community of ethical hackers participating in the program:
We’ve had many great bugs exposed through the program. For example:
We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities in Twitter, and we look forward to continuing our good faith relationship in 2016 and beyond. If you’re interested in helping keep Twitter safe & secure too then head on over to our bug bounty program, or apply to one of our open security positions!