Today we're really excited to announce the opening of the Mux bug bounty program.
Since we started Mux, we've worked hard to ensure Mux is a safe and secure environment for our customers and their viewers. For several years, we've worked with individual researchers in the security community, alongside more traditional penetration testing approaches, to ensure Mux reflects the level of security our customers need.
We strongly believe that a well-formed security posture balances a combination of approaches, including formal penetration scanning, a bug bounty program, upfront security reviews, and automated scanning.
A couple of months ago, we decided to formalize our bug bounty program, the outcome of which is the program we're announcing today. We did this for a few reasons:
First, we wanted to make sure there was a level playing field for researchers working with Mux, to ensure they could work in an environment where vulnerabilities were documented, so time wasn't wasted researching duplicate vulnerabilities.
Second, we wanted to be more transparent about the payments that researchers could expect when researching and reporting security issues.
Finally, we wanted to more actively encourage more researchers to work with Mux, by working with a platform known for providing great security research talent.
We ultimately selected HackerOne as the platform for the Mux bug bounty program. HackerOne is one of the most innovative platforms in the researcher community, and has a fantastic group of research talent underlying that platform. We were also excited to select a platform trusted by many of our own customers, partners, and companions in the media sector.
Initially, we're running the Mux bug bounty program privately, so if you want to participate in our program you'll need to be invited. While we do plan to open up the program more widely over the coming year, we wanted to initially prioritise the researcher experience and to make sure that we are able to quickly triage and resolve issues at they come in.
If you do want to be invited to the Mux private bug bounty program, please drop us an email or Twitter DM letting us know your HackerOne username, and we'll get you added!
If you aren't a member of HackerOne, we do also allow direct submissions from our security page. Please note that while you can submit vulnerabilities directly, we can only pay bug bounties via the HackerOne program, so you'll need to register with them to be eligible for bounty payments.
We look forward to expanding our work with the security researcher community.
