Here at Clubhouse we work hard to bring new features into existence that positively contribute toward our goal of building, “a more human place on the Internet.” Social audio is still in its early chapters, and building experiences for our community that don’t exist anywhere else is both rewarding and a big responsibility. Blazing the trail means we’ll inevitably come up against the unexpected, and our goal is to ensure that we can catch and fix any issues that may arise before they impact our community.
It’s because of this that Clubhouse invests so heavily in security, privacy, and trust and safety. You may have also noticed that we often roll out major new features gradually in a limited beta, which ensures we can catch and address any bugs before opening them to the whole community. However, even with all of these efforts, we know that more eyes make for a better product, which is why we’re thrilled to open up Clubhouse’s bug bounty program to the public starting today!
What is a Bug Bounty?
In simple terms, bug bounties help companies tap into the wisdom of the broader security community to bolster their defenses. In the world of information security, the process of investigating software for the presence of vulnerabilities is common practice and helps keep the ecosystem healthy — this is called vulnerability research. Curious and creative folks are motivated to find flaws in software, often for the purposes of their own intellectual exploration, and report those flaws to the parties that can fix them. This is a critical feedback loop for helping find and address flaws in the code that might otherwise be missed, and ultimately better protects the users of these services.
A bug bounty program formalizes this process and provides a way to compensate these researchers for their work. Opening a bug bounty program is the company’s way of saying, “We want you to test our systems and share your feedback!” and gives security researchers clear guidelines for performing their research and reporting their findings.
Clubhouse’s Bug Bounty
So hopefully now, if you’re a security researcher, you’re asking yourself: how can I participate?
We’re excited to announce we’ll be partnering with HackerOne, the industry leader in hosting bug bounty programs.
“We’re excited to help support security for a platform like Clubhouse, which is already making waves through the conversations they’ve prompted within their current community. Clubhouse’s public bug bounty program will offer their in-house security team continuous testing support from a diverse pool of talent through our global community of more than 1 million hackers. We look forward to seeing the program’s results and how insights from the program will shape Clubhouse’s overall cybersecurity strategy.”
— Michiel Prins, Co-Founder at HackerOne
While many bug bounty programs promise high rewards for catastrophic-level discoveries, our approach keeps the scope broad so we can address as many bugs as possible. To that end, if you can help us fix bugs that could cause harm to our community, you’ll be eligible to earn a bounty.
Additionally, our program includes a Safe Harbor Clause, which states that any researchers conducting themselves in compliance with the program policy will be protected from legal repercussions. As a security researcher myself, this protection from prosecution under the Computer Fraud and Abuse Act (CFAA) is fundamental to our commitment not only to our users but also to the security community that helps us keep Clubhouse users safe.
The goal of our bug bounty program is to provide an additional layer of protection for our community and the data they trust us with. This intentionally broad scope is a reflection of that commitment. Whether you’re a seasoned veteran or someone who’s new to the security field and looking to cut your teeth, we whole-heartedly encourage you to come check out our bug bounty and see if you can find any flaws in our platform! Our bounties will range from $100 to upwards of $3,000, and you can find more details and sign up to participate here: https://hackerone.com/clubhouse
For those of you that might be looking for something more permanent, we are growing our security team and we would love to work with you! Come check out our security roles; let’s build a more human place on the internet together.
If you missed our live conversation about the blog featuring Co-Founder of HackerOne, Michiel Prins, catch the replay here and join us!
— Chris Grayson, Security Engineering
This post is part of our engineering blog series, Technically Speaking. If you liked this post and want to read more, click here.