Threat Post -
The initiative, run by HackerOne, aims to uncover dangerous code repository bugs that end up going viral across the application supply-chain.
Tech giants want hackers to their money, in exchange for rooting out critical vulnerabilities lurking in the open-source code they use.
As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program (IBB) to lure threat hunters’ attention to open-source supply chains.
For perspective, recent research from Synopsys found the average application uses around 528 open-source components, and most of the high-risk vulns found last year had been around for more than two years — meaning they had plenty of time to proliferate. A 2020 review also found that 70 percent of mobile and desktop apps contain open-source bugs.
So far, the program has already made good progress. HackerOne initially launched the IBB back in 2013 and has since found 1,000 bugs and paid out $900,000 to around 300 hackers, the company said.
Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash