Qualcomm has announced a private bug bounty program with HackerOne, the first of its kind offered by a major silicon vendor.
The program offers up to $15,000 for vulnerabilities found in the Qualcomm Snapdragon family of mobile processors, LTE modems and related technologies. Over 40 security researchers who have disclosed vulnerabilities to Qualcomm in the past have been invited to participate; for now, the program will remain invitation-only, and Qualcomm said that it would gradually invite more security researchers in.
“We have always been proud of our collaborative relationship with the security research community. Over the years, researchers have helped us improve the security of our products by reporting vulnerabilities directly to us,” said Alex Gantman, vice president, engineering, Qualcomm. “Although the vast majority of security improvements in our products come from our internal efforts, a vulnerability rewards program represents a meaningful part of our broader security efforts.”
In order to maximize the effectiveness of its response processes, Qualcomm is asking that submissions contain as much detail as possible, including a written description of the vulnerability, information on respective source code snippets or binary analysis, and proof-of-concept code or any other supporting material that may help assess the vulnerability.
Examples of such reports also usually include information about the affected devices and versions, descriptions of issue impact and vulnerability type and/or an attack scenario, and instructions on reproducing the issue.
“The most security-conscious organizations embrace the hacker community's critical role in a comprehensive security strategy,” added Alex Rice, chief technology officer, HackerOne. “With Qualcomm Technologies’ vulnerability rewards program they will continue to build vital relationships with the external security researcher community and supplement the great work their internal security team is doing.”
Photo © jeje/Shutterstock.com