HackerOne will offer free bug bounty programmes to open source projects, the site has announced.
Last week, the platform unveiled HackerOne Community Edition – a service that enables the creators of open-source projects to use HackerOne Professional for free.
This will give them vulnerability submission, coordination, dupe detection, analytics and bounty programmes free of charge in an effort to simplify the way they attract and manage reports. The one caveat, according to the site, is that they will not have dedicated customer success support.
In a blog post, HackerOne said that open source projects like Ruby, Rails, Discourse and Django already use its services, which have resolved more than 1,200 open source vulnerabilities.
“Our primary focus at HackerOne is to help make the internet safer,” the site said. “As part of this we know that open source underpins many products and services that we use every day, so we want to ensure that open source projects can get as much support as possible in running simple, efficient and productive security programmes.”
The move was met with praise from the creators behind high-profile open source projects.
“As open source has become an increasing component in how organisations consume technology, the workflow of how people build these projects is critical,” said Jono Bacon, leading community strategist, manager and previous director of community at Canonical, GitHub and XPRIZE.
“I am delighted to see HackerOne provide a key component in this workflow in much the same way code hosting/review, continuous integration, containerisation and other pieces have become staple pieces.”
To qualify for the free service, open source projects must be covered by an OSI license, be at least three months old and include a security policy that details how to submit vulnerabilities.
Projects must also display links to their HackerOne profiles on their websites and respond to new vulnerability reports in less than a week.
Photo copyright SIphotography under licence from Thinkstockphotos.co.uk