TikTok dares critics to find security flaws via bug bounty program

The short-form viral video-sharing network says it's secure and will pay those who can demonstrate otherwise.


On Thursday, TikTok announced an increased commitment to security as it joins the National Cybersecurity Alliance. In addition to some staff TikTok videos sharing tips about strong password creation, the embattled app is partnering with HackerOne for an international bug bounty program.

HackerOne is about as independent as a third-party could get with an extensive record of work for both the private and public sectors, including work for the Department of Defense. It’s clear TikTok wants to use National Cybersecurity Awareness Month as a way to let people look under the hood and see for themselves that it’s not giving data to the Chinese government.

The bug bounty program — The program bases its rewards on the Common Vulnerability Scoring Standard (CVSS) with reports classified as low, medium, high, or critical. Participants can receive as little as $50 for a low-level issue or as much as $14,800 for a critical one, but so far the average bounties have been in the medium range with the most doled out for one report thus far totaling $8,292.

Though the government’s obsession with TikTok rests more on xenophobia and vanity than explicitly identified national security concerns, the app has far from a perfect record with security basics. Earlier this year, hackers revealed vulnerabilities related to (admittedly difficult to exploit) unsecured HTTP connections and well, a lot of holes around access to users’ accounts.

TikTok is reportedly phasing in HTTPS across its markets and patched the egregious bugs exposed in January. Regarding the current bounty program, it has responded to reports within a day and resolves issues in an average of 29 days.

Show, don’t tell — TikTok has always denied allegations made by U.S. lawmakers and the Trump administration related to Chinese espionage or other national security threats. Now, amid a ban with a constantly moving deadline and unclear legality, parent company ByteDance has had enough. If the ruling nullifying the ban is overturned, the government would have to get specific fast about how the ByteDance is putting American’s data at risk.

While it wades through the legal system, the company has no intention of anyone else running TikTok. Now, it’s just letting hackers poke around until someone believes it’s no more nefarious than, well, Facebook and Twitter.