The larger something has become, the more difficult it is make sure everything is working as intended.
The same goes to TikTok, the Chinese social media platform, touted as on the most popular in the modern culture of the internet. This is why the company expanded its vulnerability disclosure policy to include a global bug-bounty program through a partnership with the ethical hacker platform HackerOne.
The move is a huge change to the way TikTok works, which has long been criticized and even banned due to its questionable security practices.
Here, TikTok's bug-bounty program launch signals a new direction for the Chinese-owned video-sharing app.
TikTok invites white hat ethical hackers and bounty hunters to find critical vulnerabilities in its platform that among others, include: XSS, CSRF, SSRF, SQL Injection, ROP or JOP; reproducible crashes with stack traces; leaked or hard coded sensitive credentials; exploitable, dangerous APIs; control flow hijacking attacks; user data leaks; and more.
In a blog post, Luna Wu, TikTok’s global security team. said that:
This is the first time that TikTok invited the public security community to analyze its platform for vulnerabilities.
According to the program, anyone who can submit a vulnerability, can earn between $50 to $6,900.
The price TikTok is willing to pay depends on the severity of the Common Vulnerability Scoring Standard (CVSS), a scoring system used universally to rate the risk of security vulnerabilities.
To submit bugs to be evaluated under the program, people can use a dedicated online form, Wu said.
"We will seek to allow participants to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of TikTok," the program's disclosure says.
"If 180 days have elapsed with the TikTok Team not providing a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the reporter. Retention, copying, or disclosure of TikTok information gained as a result of participation is not permitted."
TikTok, owned by Chinese-based ByteDance, has been banned in some countries, and was on its way to the experience the same fate in the U.S..
This is mainly because of its security practices, as well as its alleged relationship with the Chinese government, which officials believed to have put the data of TikTok's 100 million U.S. users at risk. The app has used various tactics to collect data from both Android and iPhone devices without users knowing, among other shady practices.
At this time, ByteDance has reached an agreement to sell significant ownership stakes to Oracle and Walmart, a deal that is still under review.
Oracle agreed to take a 12.5% in the Chinese firm, while Walmart wants to take 7.5% of the share.
Together, the companies are willing to pay a combined $12 billion for their 20% ownership share in order to cover TikTok’s U.S. operations.
Whether or not this affects TikTok to be more transparent, but its expanded bug bounty program is certainly a move to the right direction.
TikTok is growing fast and is already large of its own. Evan Spiegel, founder and CEO of Snapchat, even said that the platform can be more popular than Instagram.
Without help from experts, it may see its system crumble under its own weight. With the bug bounty program, TikTok can receive help from security experts around the world to bolster its platform.