huntr.com migration FAQ

General questions:

Woah, huntr.com? What happened to huntr.dev?

In August 2023, huntr.dev was acquired by Protect AI, pioneers of MLSecOps and leaders in securing AI/ML systems. With the acquisition, Protect AI aims to address the vital need for research on AI/ML security threats, leveraging huntr's established community of open-source software (OSS) security specialists. You can read more about the acquisition here.

What happens to huntr.dev?

We’ve transformed huntr.dev into huntr.com – out with the old and in with the new! Whilst the bug bounty targets we list now have a specific AI/ML focus, under this shiny new exterior is the same bug bounty platform that you’ve grown to love.

I’m a Maintainer of an OSS project listed on huntr.com/bounties. What does this mean to me?

Good news! Protect AI is committed to OSS and the security of AI/ML focussed projects, and so they’re doubling-down on the funding for security research and remediation of your project. This means larger bounties and attracting more higher-quality security researchers. Protect AI will provide support in triaging vulnerabilities with its own security team and you’ll be able to make use of all the new features that we’re working on.

I’m a Maintainer of an OSS project that used huntr.dev for vulnerability disclosure. What does this mean to me?

Unless you’re listed on huntr.com/bounties, we won’t be able to continue supporting vulnerability disclosure for your project. You can still see your project's data on our platform, but future updates might stop you from accessing it. So, it's best to save your data somewhere else. We won't make changes that affect your data access until after November 30th, 2023.

I’m a Security Researcher. What does this mean to me?

More exciting targets, bigger bounties and faster payouts! As we zoom in on OSS projects that affect AI/ML systems, we’ll be able to use our resources more efficiently. This means that we can put more money into funding bounties, leveraging our security team for reviewing reports, whilst continuing to deliver great features to make you and the maintainers lives easier.

About Protect AI:

Who is Protect AI?

Protect AI enables safer AI applications by providing organizations the ability to see, know and manage their ML environments. Protect AI’s platform provides visibility into the ML attack surface by creating a ML Bill of Materials (MLBOM), detects unique ML security threats, and remediates vulnerabilities. Founded by AI leaders from Amazon and Oracle, Protect AI is funded by Acrew Capital, boldstart ventures, Evolution Equity Partners, Knollwood Capital, Pelion Ventures and Salesforce Ventures. The company is headquartered in Seattle, with offices in Dallas and Raleigh. For more information visit us on the web, and follow us on LinkedIn and X/Twitter.

How will Protect AI's focus on AI/ML systems affect the direction of huntr.dev/huntr.com?

As the name suggests, we’ll be strictly focussing on components that affect AI/ML systems moving forward. Whilst this is a change from the original vision for huntr.dev, this opens up grand new opportunities to find & fix vulnerabilities used in the complex and rapidly evolving world of AI/ML.

Can we expect any collaborations or special projects as a result of this acquisition?

Keep your eyes peeled for more news on this in the coming months!

A Focus on AI/ML:

Why is the new focus specifically on vulnerabilities in AI/ML open source software?

OSS has become one of the most important components for helping companies innovate quickly and maintain a competitive advantage. It underpins much of the software used by organizations in their applications, particularly for Machine Learning and Artificial Intelligence applications. While OSS offers clear benefits, it also poses inherent security risks. Although widespread efforts have been made into securing the software supply chain, the focus on AI/ML security has been overlooked. Protect AI is committed to helping build a safer AI-powered world, and in doing so has taken significant steps to securing the AI/ML supply chain.

Are traditional software vulnerabilities no longer a priority?

We continue to accept and reward vulnerabilities that would fit into the classification of “traditional software vulnerabilities”, as long as they impact AI/ML systems. However, the priority now are vulnerabilities that have a direct impact on the unique ways that AI/ML systems are built, trained, deployed and operate.

What constitutes a vulnerability in an AI/ML system?

As the field of AI/ML security is still in its early stages, the definitions are constantly changing, but our current thoughts center around whether an exploit can directly lead to the unauthorized reading or writing of an AI/ML model or training data.

Bug Bounty Process:

Has the bug bounty submission process changed after the transition?

At its core, the bug bounty submission process remains the same. We pride ourselves on the transparent approach we take to vulnerability appraisal (via the industry's first upfront bounty calculator) and keeping you in the loop when it comes to maintainer outreach & follow-ups. As always, we’ll continue to iterate on our bounty calculator based upon feedback and we strive to improve the report reviewal process by leveraging Protect AIs resources to quicken triaging.

Are there different reward tiers or structures for finding vulnerabilities in AI/ML systems?

Our reward structure is constantly evolving based upon the feedback we receive. Currently, we place an emphasis on vulnerabilities that directly impact AI/ML systems by simply asking the question “Does this vulnerability allow for the reading or writing of ML models or training data?”. Where we see this kind of impact, we may multiply bounties by up to 10x!

Are there any new rules or guidelines to follow when hunting for AI/ML vulnerabilities?

Yes, please see huntr.com/policies for the latest guidelines.

Platform Functionality & Features:

Will the existing features and tools on huntr.dev remain on huntr.com?

For the most part, yes! All core features remain (the bounties page, submission form, hacktivity, profiles and dashboards), but we’re re-designing a few things as well.

Are there any new tools or resources available specifically for AI/ML vulnerability hunting?

We’re building a whole collection of new tools and resources to help get you started on your AI/ML hacking journey. We’re starting off with a Getting Started guide and then we’ll begin working through the impactful vulnerabilities you are finding, turning them into tools that others can leverage to test systems.

How will huntr.com ensure that reported vulnerabilities are legitimate and not false positives, especially in complex AI/ML systems?

Whilst we can’t guarantee that a report is not a false positive, we have built controls to try and minimize the likelihood of false positives so as to not waste anyone’s time. We discourage spam and low quality reports by heavily penalizing users who submit reports of this nature, soon we will also allow maintainers to define a reputation threshold to block reports of this nature. Additionally, we have built filtering controls that allows maintainers to define characteristics of reports that should automatically be flagged as a false positive (I.e by file/directory or vulnerability type). However, wherever we publish a CVE for a report, it will have either been reviewed and approved by a maintainer, or one of our staff.

Existing Bounties & Points:

What happens to the bounties that were listed on huntr.dev? Will they be transferred to huntr.com?

We will continue to honor bounties as present on already submitted reports, as long as they’re validated by November 30th, 2023. Moving forward, we will only be offering bounties on AI/ML projects listed at huntr.com/bounties.

If I had points or a ranking on huntr.dev, will they be carried over to huntr.com?

Yes, all points and ranking will transfer over to huntr.com, however, we are re-working our ranking system and so you may see some changes to your rank over the coming months as this is adjusted.

User Accounts & Data:

Will I need to create a new account on huntr.com or can I use my huntr.dev credentials?

No, all user accounts will transfer over to huntr.com and you’ll continue to be able to the platform via the existing authorization methods.

How is user data from huntr.dev being handled during the transition? Is my personal information safe?

Yes, your user information continues to be safe and secure. This data is not being transferred as part of this migration. We leverage Amazon Cognito to manage authorization and to store your user information. For more information on how this is secured, please see here.

Will there be any downtime or maintenance periods during the transition?

We do not foresee the need for any downtime or maintenance periods during this transition.

Community & Support:

Are there any community events or workshops planned to introduce us to AI/ML vulnerability hunting?

We're organizing community events and workshops with a specific focus on AI/ML bug hunting, aiming to tackle security challenges responsibly and elevate the skills of the huntr community. Stay connected by joining our Discord or following us on X/Twitter for event updates, and become an integral part of our dedicated AI/ML hacking community committed to enhancing security practices.

Who can I contact if I have questions or need support during this transition?

We’re here to support you through this transition. Feel free to reach out to us on Discord or you can speak directly with our team at support@huntr.com.

So what comes next?

Our top priority is doing well by the community in their pursuit of AI/ML vulnerabilities. To support this, our first goal is re-jigging our triage process to be able to more consistently get reports reviewed and to be able to go public with them if a maintainer is uncooperative/unresponsive. Following this, we want to smooth out some of the rougher edges of the platform. In parallel to this work, we’re developing resources to help more hackers get started in this space and to give them tools to help them find common attack vectors in commonly used AI/ML OSS.

Where can I go to follow the huntr journey?

Be sure to follow us on X/Twitter and Mastodon, drop in and say hi on our Discord and be sure to register and visit the site frequently to see all the new things we’re working on.