The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you.

The Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via https://nightlies.tbb.torproject.org/nightly-builds/tor-browser-builds/.

Other services (like the website, bug tracker, and server infrastructure) or products (like OONI or Orbot) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.

Internet Bug Bounty

The Internet Bug Bounty is providing the funding for rewards offered by this program.

The project maintainers have final decision on which issues constitute security vulnerabilities. The Internet Bug Bounty Panel will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Questions

If you have questions about our bug bounty program or if there are security bug reports you want to send directly to us (disqualifying them from any potential bounty), feel free to contact us via tor-security@lists.torproject.org.