It's a Bug Hunt: Qualcomm Offering $15K Bounties

Qualcomm Technologies is going to start awarding bounties of $15,000 for each security vulnerability discovered by security experts that make it on to the company's list of approved "white hat" hackers.

This appears to be the first time a silicon vendor has offered cash awards to find holes in the security of its chips. The program applies to Qualcomm Inc. (Nasdaq: QCOM)'s Snapdragon family of processors, LTE modems and related technologies.

To implement the plan, Qualcomm is engaging the services of HackerOne, a startup endorsed by security experts from Microsoft, Google and Facebook. The organization offers a set of tools and services that companies can use to manage their responses to security vulnerabilities in a systematic way. Bug bounties can be included as part of the plan. HackerOne has been working with General Motors, Uber, GitHub, Kaspersky Labs and the US Department of Defense, among hundreds of others.

Qualcomm said it intends to invite over 40 security researchers who have already made vulnerability disclosures in the past to participate. The vulnerability rewards program is effective immediately.

"Qualcomm is the latest company turning to what is in effect crowd-sourcing of security vulnerabilities in their products or systems," says Patrick Donegan, chief analyst at Heavy Reading. "They can't be used indiscriminately. There's also a risk attached to inviting hackers to take a crack at your system. On the whole, though, people need to get comfortable with this in the spirit of the great Lyndon Johnson dictum that it's 'better to have him inside the tent pissing out, than outside the tent pissing in.'"

Is security your business? Register now for Light Reading's Service Provider & Enterprise Security Strategies event on December 1, at the Westin Times Square in New York.

While many of the most serious security lapses publicized typically involve servers and PCs, there has been some alarming news involving handsets in recent days.

At a white hat hackathon in Seoul, one team broke the new Google Pixel in 60 seconds, the Indian Express reported.

Security specialist Kryptowire discovered that some Android phones have a bit of software that no user would even have known to look for that sends the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server.

Shanghai Adups Technology Company, the company that wrote the software, said it supplied it at the request of some of its handset customers. It might be installed in as many as 700 million phones worldwide, most of them in China, though it was found in some low-end handsets by American manufacturer BLU Products.

As for Qualcomm, Alex Gantman, vice president of engineering at Qualcomm Technologies, said: "Over the years, researchers have helped us improve the security of our products by reporting vulnerabilities directly to us. Although the vast majority of security improvements in our products come from our internal efforts, a vulnerability rewards program represents a meaningful part of our broader security efforts."

"The most security conscious organizations embrace the hacker community's critical role in a comprehensive security strategy," said Alex Rice, chief technology officer at HackerOne. "With Qualcomm Technologies' vulnerability rewards program they will continue to build vital relationships with the external security researcher community and supplement the great work their internal security team is doing."

— Brian Santo, Senior Editor, Components, T&M, Light Reading