image
TikTok has expanded its vulnerability disclosure policy to include a global bug-bounty program through a partnership with the ethical hacker platform HackerOne. The bug-bounty program launch signals a new direction for the Chinese-owned video-sharing app, which has been much maligned for its questionable security practices. Hackers who find critical vulnerabilities in TikTok’s platform can receive between $6,900 to $14,800 according to the program, which marks the first time TikTok has invited the public security community to analyze its platform for vulnerabilities. “This partnership will help us to gain insight from the world’s top security researchers, academic scholars and independent experts to better uncover potential threats and make TikTok’s security defenses even stronger,” Luna Wu from TikTok’s global security team said in a Thursday blog post unveiling the partnership. The program invites ethical hackers to submit a wide range of vulnerabilities in the app, including those related to: XSS, CSRF, SSRF, SQL Injection, ROP or JOP; reproducible crashes with stack traces; leaked or hard coded sensitive credentials; exploitable, dangerous APIs; control flow hijacking attacks; user data leaks; authentication or authorization vulnerabilities; or access to internal TikTok resources. A full list of vulnerabilities that are covered under the program is available on the TikTok landing page. To submit bugs to be evaluated under the program, researchers can use an online…

Source