If you want to find weaknesses in your vault or safe, it couldn't hurt to hire a thief to try and break into it. If you want to do the same thing for your brand new system-on-a-chip, the same principle applies to hackers and security experts. So goes the thinking behind Qualcomm's latest outreach to the security industry: a bug bounty program offering prizes of up to $15,000 for disclosed vulnerabilities in the company's Snapdragon chipsets and LTE modems.
This sort of thing isn't unprecedented - software vendors in particular have offered cash prizes for successful hacks for decades. The idea is that creative and intelligent hackers discover the weakest points in a given system, then inform the makers of that system instead of (or in addition to) the public. Hackers get paid, companies fix their products, everybody wins. Qualcomm's program will be administered in cooperation with HackerOne, a B2B company dedicated to this kind of organized bug identification and disclosure.
A wide variety of chipsets are currently in play: everything from the relatively outdated Snapdragon 400 (now mostly found in Android Wear devices) all the way up to the Snapdragon 821, plus four models of Snapdragon X modems. Qualcomm is also offering bounties for Android for MSM Linux vulnerabilities, root, bootloader, and modem firmware bugs, plus errors in Qualcomm's Secure Executions Environment. To qualify for the bounties, submissions must be new, exclusively submitted to the bug program, and treated as confidential until published by Qualcomm - pretty standard stuff.
If you're ready to get cracking, check out Qualcomm's full list of rules and bug tiers here.
Qualcomm Incorporated (NASDAQ: QCOM) today announced that its subsidiary, Qualcomm Technologies, Inc. (QTI), is launching its vulnerability rewards program designed to expand collaboration with invited white hat hackers who improve the security of the Qualcomm® Snapdragon™ family of processors, LTE modems and related technologies. The program is the first of its kind to be announced by a major silicon vendor, and will be administered in collaboration with vulnerability coordination platform HackerOne, offering rewards of up to $15,000 USD per vulnerability as well as recognition in either the QTI Product Security or the CodeAuroraForum Hall of Fame, depending on the nature of the submission.
“We have always been proud of our collaborative relationship with the security research community. Over the years, researchers have helped us improve the security of our products by reporting vulnerabilities directly to us,” said Alex Gantman, vice president, engineering, Qualcomm Technologies, Inc. “Although the vast majority of security improvements in our products come from our internal efforts, a vulnerability rewards program represents a meaningful part of our broader security efforts.”
“The most security conscious organizations embrace the hacker community's critical role in a comprehensive security strategy,” said Alex Rice, chief technology officer, HackerOne. “With Qualcomm Technologies’ vulnerability rewards program they will continue to build vital relationships with the external security researcher community and supplement the great work their internal security team is doing.”
Over 40 security researchers who have made vulnerability disclosures in the past will be invited to initially participate. The program will be administered by HackerOne and participation details are available at https://hackerone.com/qualcomm.
The vulnerability rewards program is effective immediately.