Roy, who has long list of bug discoveries to his name, contacted Tor Project admin through email, after he discovered the XSS vulnerability in their blog, which allowed potential hacker to build a specific URL that injects malicious scripts into webpages, which can then be executed unknowingly by a user visiting the link. Even after contacting the Tor Project, Roy got no response so he tweeted about the vulnerability along with evidence.
— ~?? (@RoyJansen_01) February 6, 2016 In his tweet, Jansen included a link to demonstrate the vulnerability. When clicked, users are directed to the “Archive” section of the Tor Project’s website, but with an additional message inserted by Jansen. “Maybe [the] Tor [network] isn’t really in danger,” Jansen told Motherboard in a Twitter message. “But their userbase/blog visitors are.” “Cross-site scripting attacks use known vulnerabilities in web-based applications, their servers, or plug-in system on which they rely,” a part of Jansen’s message reads. “Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site.” The screenshot tweeted included a popup; Jansen says this means that an attacker could also inject malicious JavaScript. The vulnerability was immediately patched by Tor Project admin which oversees the Tor browser after Roy tweeted about the vulnerability but surprisingly they refused to acknowledge the bug discovery by Roy, let alone pay him bug bounty or honour his work.
— The Tor Project (@torproject) February 7, 2016 Its not like Tor Project doesnt have a bug bounty program. It had announced its first bug bounty program with sponsorship from the Open Technology Fund in December 2015. However, in Roy’s case they refused to accept the bug discovery, let alone award him with bug bounty. Roy told Techworm that its good Tor Project has patched vulnerability and a simple thanks would have helped!
— ~?? (@RoyJansen_01) February 7, 2016