January 20, 2014
Secure messaging app provider Wickr has joined the top echelon of software developers by launching a bug bounty programme that offers up to US $100,000 for hackers who can find flaws in its software.
Security is fundamental to San Francisco-based Wickr, the service which launched two years ago and offers free text, audio, picture and video messaging that self-destructs.
The company is now aiming to ramp up its security, in a bid to be safe from hackers and government spies, by offering bug bounty rewards to maintain the confidentiality and integrity of its users data.
In a recent blog post, co-founder and CTO Dr. Robert Statica said: “Wickr is looking to recruit the best hackers in the world in a continuous effort to protect our users. Starting today, we are offering generous amounts of money for critical security bugs found in our app and responsibly disclosed.â€
CEO and co-founder Nico Sell added that Wickr has already extensively stress-tested its software, but told SCMagazineUK.com that the bounty was the next logical step.
“We don't think anyone will find anything - but it's worth it to us if they do. The level of bug bounty is high because security is important to us. It's as much money as anyone offers."
‘Bug bounty' is a controversial area with over 200 software companies now offering rewards, against competition from ‘black hat' cyber criminals and nation states who pay generously for bugs that they can exploit. It is estimated that the most significant bugs can command prices of around £250,000 on the black market.
Andrew Beckett, a cyber security expert with Airbus Defence and Space, confirmed that these market forces are driving bug bounty programmes.
He told SCMagazineUK.com: “Unfortunately the black economy in this market is financed by the serious amounts of lucre that successful cybercrime can deliver - that's millions - which means that Governments and the IT sector are forced to compete for the best expertise and reward accordingly.â€
 “The bounty being offered to researchers to identify bugs or issues with software is comparable with the rewards offered to individuals who can identify exploits, viruses and other cyber attack mechanisms,†he added. “The cyber environment is no longer a technology driven field of enterprise but a serious market driven by capitalist market forces.â€
Statica said in his blog that as well as paying up to US$ 100,000 (£60,835) for vulnerabilities affecting user confidentiality and integrity: “We will also consider paying the same amount for defence techniques and novel approaches to eliminating the vulnerability that are submitted at the same time. Our goal is to make this the most generous and successful bounty programme in the world.â€
“Beyond making lots of money, you can feel good about helping Wickr because we were founded to protect the basic human right of private correspondence. Private correspondence is extremely important to a free society. People all over the world depend on Wickr. Please help us with this mission.â€
Wickr says its software is used by “reporters, sources, senators, cops, freedom fighters, doctors, patients, lawyers, bankers, military, intel, boards, billionaires, celebs and college studentsâ€.
The company provides a method to send encrypted text, photos, videos, voice and PDFs and leave no trace. Both sender and receiver must have the app to communicate. Only the receiver is able to decrypt the message once it has been sent. Wickr does not have the decryption keys.
“Companies like Apple, Facebook and Google offer messaging that is archived, easily traceable, controlled by the recipient, shared with strangers and sold to marketers,†said the company. “Wickr flips messaging on its head, giving control to the sender instead of the receiver (or servers in between).â€