Calling All Hackers: Wickr's Bug Bounty Begins

Last Update: August 24, 2015

Wickr is looking to recruit the best hackers in the world in a continuous effort to protect our users. Starting today, we are offering a bounty for reporting critical security vulnerabilities that can substantially affect the confidentiality or integrity of user data.

If you believe you have found security vulnerability in the Wickr App, we encourage you to report it to our Bug Bounty Program. Before you report a vulnerability, please review the program rules, including a responsible disclosure policy, rewards guidelines and the scope of the program. By submitting a report within this program, you agree to be bound by these rules. We will investigate all qualifying reports and do our best to fix the reported issue as soon as possible.

Engaging Hackers

Wickr was founded on the belief that private communications is a universal human right that enables innovation and economic growth, and empowers democracy. As a security-focused company, we are committed to constantly improving our best-in-class encryption technology against sophisticated threats that our users face daily, protecting their business data and private personal communications. That is why, since its launch, Wickr has engaged world-class information security organizations to pen-test and verify Wickr’s code, security and policies.

Veracode, Aspect Security, ISEC Partners have reviewed and confirmed the security of the Wickr platform. At DEF CON 21, Wickr had the honor to be the target of a presentation conducted by experts from Stroz Friedberg, one of the largest forensics companies in the world. The researchers analyzed Wickr, Snapchat and Facebook Poke to determine that, while Snapchat and Facebook revealed personal information, Wickr indeed left no trace. We expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that make efforts to help us ensure the security of the Wickr community.

About Wickr

The Wickr team is made up of security and privacy experts who strongly believe that strong encryption standards is our key defense against emerging security threats. Wickr is a free app enabling anyone to send encrypted text, audio, picture and video messages. Wickr binds each message to your device, clears metadata from files and permanently shreds deleted files from your device.

Program Statement

 

Wickr Bug Bounty Program

The Wickr Bug Bounty Program is designed to encourage responsible security research focused on Wickr software. It is impossible to overstate the importance of the role the security research community plays in ensuring modern software remains secure. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their work speeds the pace of advancing security to the benefit of all. Through this program and partnerships with InfoSec organizations, we pledge to continuously improve the security and usability of our network, keeping Wickr the most trusted messaging platform in the world.

Terms and Conditions

Wickr will issue rewards in recognition of qualifying security vulnerabilities. A qualifying security vulnerability is any previously unreported design or implementation issue that substantially affects the confidentiality or integrity of user data.

Kids Welcome

Any age is welcome to participate. WickrHeading 3 Android was first beta tested with the r00tz kids at DEF CON.

Submission Process

To submit a vulnerability, send a complete description of the issue to bugbounty@wickr.com. Please be prepared to provide additional clarifying information as well as tools, procedures and algorithms employed upon request. If you developed a novel approach to solve the issue, please include it with your submission.

Responsible Disclosure

We believe in responsible disclosure of security vulnerabilities. To allow sufficient time for internal review and remediation, and to qualify for reward, qualifying security vulnerabilities submitted under this program cannot be disclosed or reported to any third party within six (6) months of the date of submission without our written permission.

Rewards

Qualifying security vulnerabilities can be rewarded with up to $100,000, depending on our assessment of severity as calculated by likelihood and impact. Reward amounts are entirely at the discretion of Wickr’s Security Team, and all determinations are final. The payments are in US dollars, and the beneficiary is responsible for all applicable taxes, fees and tariffs in her/his country of residence. Team submissions must split the reward.

The prize payment cannot be made anonymously and personal identifiable information (PII) must be provided to Wickr before payment can be made. The PII might contain the legal name, address, phone number and financial information like bank account number, etc.

All prizes and their monetary value are established by Wickr Inc. and are paid after all the requirements have been met.

Prohibitions

The scope of this program is limited to technical security vulnerabilities in Wickr software. Under no circumstances should your testing affect the availability of Wickr services, disrupt or compromise any data that is not your own, or violate any law or our Terms of Service.

Restrictions

To be eligible for the program, you must not:

Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);

Be employed by Wickr, Inc. or its subsidiaries;

Be an immediate family member of a person employed by Wickr, Inc. or its subsidiaries.

Legal

You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law and age. We reserve the right to cancel or change the program at any time. The decision as to whether or not to pay a reward is entirely at our discretion. Void where prohibited by law. 

R Z