Chip vendor Qualcomm has launched a new bug bounty programme in a bid to improve the security of its Snapdragon family of processors, LTE modems and related technologies.
The firm is running the programme in conjunction with vulnerability coordination platform, HackerOne. Qualcomm claims the programme to be one of the first from a major silicon vendor.
It has invited security researchers to find vulnerabilities with rewards of up to $US 15,000 (£12,000) per vulnerability as well as recognition in either the QTI Product Security or the CodeAuroraForum Hall of Fame, depending on the nature of the submission. Over 40 security researchers who have made vulnerability disclosures in the past will be initially invited to participate.
“We have always been proud of our collaborative relationship with the security research community. Over the years, researchers have helped us improve the security of our products by reporting vulnerabilities directly to us,” said Alex Gantman, vice president of engineering at Qualcomm Technologies. “Although the vast majority of security improvements in our products come from our internal efforts, a vulnerability rewards programme represents a meaningful part of our broader security efforts.”
Ken Munro, partner at Pen Test Partners, told SCMagazineUK.com that chipsets have been the Achilles heel for some time.
“For instance, the Rockchip chipset is in a plethora of Android devices – in fact, Wikipedia helpfully lists them – so an exploit in the chipset then renders all those devices vulnerable,” he said.
“A problem reported to Rockchip in Flash mode which allowed two forms of attack was ‘fixed' with the issuing of updated firmware by the vendor a couple of years ago. Except it wasn't retrospective, so anyone with an old device would still be vulnerable, and the ‘fix' didn't seem to last. Fast forward to September 2016 and the Bush MyTablet had the same issues: a vulnerable Rockchip in flash mode.”
Munro added that Qualcomm had little alternative given the embarrassing Snapdragon incident which saw over a billion Android devices at risk from a serious security vulnerability giving root access and Quadrooter which saw 900 million devices at risk for a month when the next update was issued.
“The issue wasn't detected internally – it was disclosed by security researchers – so Qualcomm had to act to reassure the market that it takes disclosure seriously. That meant putting in place a proper bug bounty programme and reward process,” said Munro.
“That said, this is more a case of a chip vendor dipping its toe in the water than a brave leap into disclosure. The bug bounty programme is restricted to ‘invited' security researchers which kind of defeats the object.”
He added that bug bounty programmes may wish to seek disclosure from certified professionals but to restrict it to a small band of 40 practitioners seems like they're already limiting the potential of the programme to provide insights into unknown vulnerabilities. “This is a vendor gingerly engaging with the security community very much on their terms,” said Munro.
Javvad Malik, security advocate at AlienVault, told SC that hackers will try to target all layers of the stack in order to find a vulnerability into a system or device.
“I don't think that in doing so the company will attract any more unwanted attention, but it should help uncover some security issues that can be remediated,” he said.
“As bug bounty programmes gain in popularity, we can expect to see a more diverse set of companies such as hardware manufacturers taking this approach.”