Audio-based social media platform prioritizes access control bypasses and information disclosure flaws
Clubhouse, the audio-based chatroom application, has rolled out a public bug bounty program on HackerOne.
Financial rewards for unearthing critical flaws are pegged at $3,000, while ‘high’ severity bugs will command bounties of $1,500. Bug hunters could get $500 and $100, respectively, for valid ‘medium’ and ‘low’ severity bugs.
In a blog post published to coincide with the program’s launch, Clubhouse said: “While many bug bounty programs promise high rewards for catastrophic-level discoveries, our approach keeps the scope broad so we can address as many bugs as possible. To that end, if you can help us fix bugs that could cause harm to our community, you’ll be eligible to earn a bounty.”
Clubhouse users can set up or join chatrooms to discuss all manner of topics with friends or strangers using their device’s mic – as opposed to via text, emoticons and visual memes, as has otherwise been the norm on social media.
Launched in March 2020, Clubhouse enjoyed spectacular growth at the height of the coronavirus pandemic, with its cachet boosted by initially being invite-only and the likes of Tesla CEO Elon Musk and Meta CEO Mark Zuckerberg using the platform.
The app was downloaded more than 34 million times within a year of its launch, although its growth is since said to have slowed.
The Clubhouse bug bounty program has six assets in scope, including web domains clubhouse.com and joinclubhouse.com, backend API clubhouseapi.com, the Clubhouse iOS and Android applications, and the production and corporate infrastructure of Clubhouse developer, Alpha Exploration.
The company is particularly keen on hardening its applications against security flaws leading to access control bypasses, escalation of permissions, and disclosure of sensitive user information.
Its two other priorities are to bolster its infrastructure and internal “administrative tooling”.
Clubhouse is aiming to triage vulnerabilities within two business days of notification, and to pay bounties within 14 business days.
The app developer has already paid out more than $10,000 to ethical hackers within a few days of the program’s launch, with the highest bounty at the time of writing $9,850.
“We’re excited to help support security for a platform like Clubhouse, which is already making waves through the conversations they’ve prompted within their current community,” said Michiel Prins, co-founder of HackerOne.
“Clubhouse’s public bug bounty program will offer their in-house security team continuous testing support from a diverse pool of talent through our global community of more than one million hackers.”