The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you.
The Tor Project is only offering bug bounties for two of its core products, Tor (the network daemon) and Tor Browser. Other services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.
For Tor the tiers, price ranges and restrictions look like this:
This tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger. If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.
This tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.
This tier is for serious security bugs that result in users getting deanonymized or compromised.
Medium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.
This section specifies an incomplete list of vulnerabilities that are NOT in scope for this bug bounty program.
That's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.
Here is an incomplete list of excluded vulnerabilities:
For Tor Browser the tiers, price ranges and restrictions are the following:
Generally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.
This tier is for third-party/supercookie tracking issues:
a. Non-fingerprinting (identifiers/cookies/etc): $1000
b. Fingerprinting (Reward depends on accuracy and/or entropy. However, "fingerprinting" for this bounty program is defined pretty loosely. E.g. any bugs that help an attacker to find out something about a user's habit is in scope for this item): $100-1000
This tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:
a. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000
b. NoScript bypass to get any script to run $1000-$2000
This tier is for serious security bugs that may result in users getting deanonymized or compromised.
a. "Uncontrolled" Partial Proxy Bypass: $2000
b. Full Proxy bypass: $3000
c. Tor Browser-Specific Code Exec Base Bounty: $3000
d. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:
If there are security bug reports you want to send directly to us, feel free to contact us via firstname.lastname@example.org.
Contact us if you want more information.