The move is a distinct change in direction for the app, which has been criticized and even banned for its security practices.
TikTok has expanded its vulnerability disclosure policy to include a global bug-bounty program through a partnership with the ethical hacker platform HackerOne. The bug-bounty program launch signals a new direction for the Chinese-owned video-sharing app, which has been much maligned for its questionable security practices.
Hackers who find critical vulnerabilities in TikTok’s platform can receive between $6,900 to $14,800 according to the program, which marks the first time TikTok has invited the public security community to analyze its platform for vulnerabilities.
“This partnership will help us to gain insight from the world’s top security researchers, academic scholars and independent experts to better uncover potential threats and make TikTok’s security defenses even stronger,” Luna Wu from TikTok’s global security team said in a Thursday blog post unveiling the partnership.
The program invites ethical hackers to submit a wide range of vulnerabilities in the app, including those related to: XSS, CSRF, SSRF, SQL Injection, ROP or JOP; reproducible crashes with stack traces; leaked or hard coded sensitive credentials; exploitable, dangerous APIs; control flow hijacking attacks; user data leaks; authentication or authorization vulnerabilities; or access to internal TikTok resources.
A full list of vulnerabilities that are covered under the program is available on the TikTok landing page. To submit bugs to be evaluated under the program, researchers can use an online form, Wu said.
The program’s rewards are based on severity per the the Common Vulnerability Scoring Standard (CVSS), which is used universally to rate the risk of security vulnerabilities. In addition to the highest bounties for bugs that earn critical ratings, hackers can earn between $1,700 to $6,900 for vulnerabilities rated “high”; $200 to $1,700 for bugs rated “medium;” and $50 to $200 for bugs rated with a “low” risk.
TikTok, owned by Chinese-based ByteDance, has been banned in some countries and was on its way to the same fate in the United States mainly due to its security practices related to ByteDance’s alleged cozy relationship with the Chinese Communist government, which experts believe put the data of its 100 million U.S. users at risk. The app has used various tactics to collect data from both Android and iPhone devices without users knowing, among other shady practices.
On the eve of a U.S. ban, TikTok owner ByteDance reached an agreement to sell significant ownership stakes to Oracle and Walmart, a deal that’s currently under review. Oracle has agreed to take a 12.5 percent in the Chinese firm, while Walmart will take a 7.5 percent share; together the companies will pay a combined $12 billion for the 20 percent ownership share to cover TikTok’s U.S. operations.
It’s unclear if this deal is what is encouraging TikTok custodians to be more transparent about app security, but the expanded bug bounty program will likely improve its overall security and thus its standing with the tech security world at large, observers said. Along with the HackerOne partnership, TikTok also is rolling out a video series in which employees encourage users to practice good cyber hygiene.
“Such programs can attract a diverse mix of talented researchers who are able to look at applications with unique perspectives and experiences that may not necessarily be available in internal security teams,” said Tim Mackey, principal security strategist, CyRC, at Synopsys, in an e-mail to Threatpost.
He noted that TikTok’s move is on the heels of Apple expanding its formerly private bug bounty program into the public realm, which already yielded a number of key vulnerability disclosures for the tech giant.
Given that TikTok is most popular with teenagers—who likely don’t give much thought to how the apps they use might be spying on them–the program also “can go a long way to improving the overall security for how they interact with applications and manage data they’ve created,” Mackey added.