Huntr

Huntr positions itself as the world's pioneering bug bounty platform exclusively focused on the Artificial Intelligence and Machine Learning (AI/ML) supply chain. Its core mission is to create a secure and stable environment for the development and deployment of AI technologies by fostering a collaborative bridge between security researchers and the maintainers of open-source AI/ML projects. The platform provides a centralized, streamlined process for discovering, reporting, and remediating vulnerabilities across a wide spectrum of the AI ecosystem, from foundational libraries like PyTorch and TensorFlow to popular applications and critical model file formats.

By incentivizing ethical hacking, Huntr has built a vibrant community of over 15,000 security professionals and developers. This community has been instrumental in uncovering hundreds of significant vulnerabilities, with a high percentage being of critical or high severity. The platform's impact is recognized by major players in the AI industry, including a notable partnership with Hugging Face, underscoring its crucial role in safeguarding the tools that power modern AI.

How to use Huntr

The process for engaging with Huntr is designed to be clear and efficient for both researchers and project maintainers, following a structured four-step lifecycle for vulnerability disclosure:

1. Disclose: A security researcher discovers a potential vulnerability in a listed AI/ML project or model file format. They submit their findings through Huntr's secure and confidential reporting form, providing a detailed explanation and a proof-of-concept (PoC).
2. Validate: The Huntr team triages the submission and contacts the relevant project maintainer. The maintainer is given a 31-day window to respond and validate the report. If the report is high or critical and receives no response, the Huntr team may manually validate it to ensure timely action.
3. Reward: Once a vulnerability is confirmed as valid by either the maintainer or the Huntr team, the researcher is rewarded with a financial bounty. The bounty amount varies based on the severity and scope of the vulnerability. Validated reports are also assigned a CVE identifier, giving official recognition to the researcher's work.
4. Publish: To promote transparency and knowledge sharing, validated vulnerability reports for open-source software are publicly disclosed after a 90-day embargo period, which can be extended if the maintainer requires more time for a fix. Reports concerning model file formats are typically not disclosed publicly to prevent widespread exploitation.

Core Features of Huntr

• Dual Bug Bounty Programs: Huntr offers two distinct programs: Open Source Vulnerabilities (OSV) for AI/ML applications and libraries, and Model File Vulnerabilities (MFV) specifically targeting formats like .safetensors, .gguf, and .pkl.
• Financial Incentives: The platform provides competitive bounties to reward researchers for their efforts, with payouts reaching up to $1,500 for OSV and up to $4,000 or more for critical MFV discoveries.
• CVE Assignment: Validated vulnerabilities are assigned a Common Vulnerabilities and Exposures (CVE) ID, providing formal industry recognition for the researcher's discovery.
• Collaborative Platform: It serves as a central hub connecting thousands of security researchers with maintainers of hundreds of critical AI/ML projects, including those from NVIDIA, Google, Meta, Microsoft, and Hugging Face.
• Structured Disclosure Process: A clear, responsible disclosure timeline ensures that maintainers have adequate time to patch vulnerabilities before they are made public.

Use Cases for Huntr

Huntr is valuable for various stakeholders within the AI ecosystem:

• Security Researchers: Can legally and ethically test popular AI/ML tools, monetize their security skills, and build their professional reputation through CVEs.
• Open Source Maintainers: Receive a managed inflow of high-quality, vetted security reports, reducing the burden of managing disclosures and helping them secure their projects effectively.
• Enterprises & MLOps Teams: By encouraging the security of the open-source components they rely on, companies can significantly reduce their AI supply chain risk and protect their production systems from potential exploits.
• AI/ML Developers: Can learn about common security pitfalls and best practices specific to the AI domain by reviewing published vulnerability reports.

Advantages of Huntr

The primary advantage of Huntr is its specialized focus. Unlike general-purpose bug bounty platforms, Huntr possesses deep expertise in the unique threat vectors affecting AI/ML systems, such as model poisoning, data leakage, and deserialization attacks in model files. This specialization attracts top-tier security talent with relevant skills, leading to more impactful discoveries. It fosters a proactive, community-driven security culture that strengthens the entire AI ecosystem, making it safer for everyone from individual developers to large corporations.

Pricing and Plans

For security researchers and open-source maintainers, participation in the Huntr platform is free. Researchers join to contribute their skills and earn bounties, while maintainers can manage vulnerability reports for their projects without any cost. The financial rewards (bounties) are sponsored by Huntr and its partners. Payouts are made monthly via Stripe Connect for validated and rewarded vulnerabilities.