Twitter will start paying individuals for any flaws they uncover on its web, iOS or Android platforms, with a fee of $140 or more offered per flaw.
Twitter Security announced the move in a post linking to its new conditions on the third-party HackerOne website.
We’re introducing a bug bounty program to thank researchers for responsibly-disclosed issues. Learn more: https://t.co/cXkWDsQuRe.
— Twitter Security (@twittersecurity) September 3, 2014
There is no upper limit to how much someone may be rewarded but there are numerous terms and conditions for how bounties are paid out, as the Twitter page on the HackerOne website explains.
“Reward amounts may vary depending upon the severity of the vulnerability reported. Twitter will determine in its discretion whether a reward should be granted and the amount of the reward,” it said.
“This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.”
To be eligible for a prize those submitting a vulnerability must be the first to report it, must not disclose it publicly until fixed and it must fall under the scope of what Twitter classes a vulnerability.
Twitter cited cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE), authorised access to protected tweets and unauthorised access to direct messages as the most common flaws it usually fixes.
Twitter also said that anyone who provided a vulnerability report prior to the launch date of the new bounty programme – 10.30am Pacific Time on 3 September – will not receive a backdated payout.
Security researchers in North Korea, Iran, Cuba, Syria and other nations with sanctions imposed will also not be able to receive funding.
The move to reward security experts for uncovering bugs is commonplace across the industry, with Microsoft offering rewards as high as $100,000.
Last year Yahoo was slammed for only offering caps and t-shirts for its reward programme, although this has now been upgraded to offer financial rewards of as high as $15,000.