Article Lead Image

Google researcher who discovered Heartbleed bug donates $15K reward

You can’t put a price on karma.


Fran Berkman

Internet Culture

When it comes to online security, Neel Mehta puts his money where his mouse is.

The Google Security researcher boosted a fundraiser for online privacy tools past its $100,000 goal by donating the $15,000 reward he received for helping to expose the Heartbleed bug.

The Freedom of the Press Foundation launched the fundraiser in December to support encryption tools that journalists and others can use to protect digital communications.

“We are very grateful to Neel’s donation,” Trevor Timm, the Freedom of the Press Foundation’s executive director, told the Daily Dot in an email. “These encryption tools are incredibly underfunded and this money will go to making the Internet a safer and more secure place.”

Thanks to @neelmehta‘s donation, we’ve now raised over $100,000 for a group of great open-source encryption tools:

— Trevor Timm (@trevortimm) April 9, 2014

Timm said Mehta went with the default option on the fundraiser’s page to divide his donation equally between four tools—the LEAP Encryption Access ProjectOpen WhisperSystems, the TAILS secure operating system and the Tor Project. Contributors also had the option to donate to the Foundation’s own SecureDrop, which allows whistleblowers to securely submit information to media organizations.

After “subtracting what the credit card companies take,” said Timm, the total amounts divided between each of the tools are as follows: 

  • Open WhisperSystems: $19,149.49
  • TAILS: $22,351.05
  • LEAP Encryption Access Project: $17,665.12
  • Tor Project: $19,632.20
  • SecureDrop: $14,403.08

Five percent of all donations ($6,286.28) went toward the foundation’s operating costs.

This is the fourth time since December 2012 that Freedom of the Press Foundation fundraisers have procured more than $100,000 for causes such as WikiLeaks and other journalistic organizations, and to hire a stenographer to produce transcripts of the trial of Chelsea Manning, then known as Bradley Manning, for the public.

It’s common for people who expose security flaws, often referred to as “white hat hackers,” to receive rewards for their work. In October, Microsoft paid $100,000 to British security researcher James Forshaw for uncovering a security bug in Windows 8.1.

A group called the Internet Bug Bounty, which offers cash to those who expose security flaws in software critical to the Internet’s existence, rewarded Mehta for catching the cause of Heartbleed—a problem with OpenSSL, a cryptographic protocol that secures data exchanged between websites and servers.

The minimum reward offered for finding a flaw with OpenSSL is $2,500, but Mehta received six times as much, presumably due to the severity of the bug he helped expose. Security guru Bruce Schneier called Heartbleed “a catastrophic bug” and said, “On the scale of 1 to 10, this is an 11.”

The 2-year-old bug is thought to have affected nearly two-thirds of the Web. If attackers were aware of the bug, which is still unclear, they could have stolen a frightening number of users’ login information from sites ranging from social networks to financial institutions.

Google has not yet responded to our request for an interview with Mehta.

Photo by perspec_photo88/Flickr (CC BY-SA 2.0)

The Daily Dot