During DEF CON in August, Twitter became the preferred medium for submitting bugs found in secure smartphone Blackphone, including one high-profile claim on the social network that the phone had been rooted.
That wasn’t the final straw that led to today’s announcement of a bug bounty, rather it was the first.
“I wanted to get that off Twitter and onto something that could be managed,” said chief security officer Daniel Ford. “Otherwise, I would have to hire people to manage my Twitter account. Especially after DEF CON—and during—people were going bonkers submitting things over Twitter and over email.”
Blackphone and Silent Circle today got a formal bug bounty program off the ground that will live on the Bugcrowd platform. The scope of the program extends from its PrivatOS operating system, to update servers and web portals. Payouts start at $128 per bug, and Ford said for now there is no ceiling on bounties.
“We have a big target on our chest,” Ford said. “We want to continue being the most secure, private Android device manufacturer out there, and a lot of people think it can’t be done. Today, we’re still a small company, but we figure there are a lot of people who want a secure, private smartphone and we think those same people who want one are willing to help us achieve our goal.”
Bugcrowd was founded two years ago; its business model is crowdsourcing vulnerability discovery and management. Researchers—more than 11,000 today—sign up with Bugcrowd and can be invited to participate in public or private bug-hunts and can be rewarded for their findings.
“This is a complement to what we have [in-house],” Ford said. “In a lot of ways, no matter what we did, we could never take the combined experiences the security researcher community has to offer to do this. I can’t hire hundreds of people to perform this task. This is a way of being able to crowdsource that capability.”
Crowdsourcing vulnerability research is a growing trend with a number of high-profile technology and e-commerce companies establishing similar bounties either through Bugcrowd or other similar providers. Bug-hunters can profit to varying degrees and satisfy a measure of intellectual curiosity by getting a look at code and contributing to product safety and software security.
“We are not able to find everything. I’m limited in my ability to hire good resources and hire external parties to look at things,” Ford said. “Pushing this to anyone with a computer or phone and wants to look at our platform and apps is able to do so. We’ve taken this and exponentially increased our ability to find flaws in our offering faster and close them out.”
Blackphone and Silent Circle ran a quiet bug submission program on its own and through Bugcrowd before launching it full-scale today. Ford said an average of 10 bugs per day were being reported with a small percentage considered medium-priority vulnerabilities.
At DEF CON, researcher Jon Sawyer, also known as Justin Case, found a trio of vulnerabilities that could be chained together requiring an unusual set of circumstances be in place in order to get root access on a Blackphone. Sawyer worked with Blackphone officials, disclosing the bugs to them, bugs that were patched in short order. Sawyer, however, first alerted Blackphone via Twitter that the device was about to be rooted.
“DEF CON was probably the start of why we needed to do [a bounty],” Ford said. “We were getting people prior to that submitting some things on Twitter or through our customer service portal, but that shined a bright light on why we had to do this and quickly.
“After the incident at DEF CON, we got more researchers submitting things to us, and that was a good thing,” Ford said. “Now we are able to show the security community the respect it deserves. They wanted to work with us, we needed an easier way to work with them. Twitter wasn’t the right way to do it.”