Qualcomm kicked off its first bug bounty program Thursday, opening the door for white hat hackers to find flaws in a dozen Snapdragon mobile chipsets and related software. Rewards for the invite-only bug bounty program top $15,000 each.
HackerOne will facilitate Qualcomm’s bounty program; the chipmaker is hoping to secure millions of smartphones running Snapdragon silicon, including phones sold by Samsung, LG, HTC and Google.
Eligible Snapdragon products include eight mobile processors, four LTE modems and additional related silicon technologies and software. The bug bounty program will be administered through the Qualcomm Technologies business unit in conjunction with HackerOne. The program, Qualcomm claims, is the first of its kind for a major silicon vendor.
“With Qualcomm Technologies’ vulnerability rewards program they will continue to build vital relationships with the external security researcher community and supplement the great work their internal security team is doing,” said Alex Rice, chief technology officer for HackerOne in a prepared statement.
Qualcomm joins a number of high-profile and recently launched bug-bounty programs. Earlier this month the Department of Defense awarded a contract to HackerOne to bolster the cyber security of the U.S. Army’s digital assets. That complemented another investment by the U.S. government with Synack, which was picked to create a bug-bounty platform for the IRS. HackerOne also had a high profile Hack the Pentagon bug bounty program which ran from April 18 to May 12 earlier this year.
Qualcomm and HackerOne said that 40 security researchers have been invited to participate. The bounty program includes a list of chipset models eligible for submissions, along with software components that include Linux kernel code (part of “Android for MSM”) and WLAN and Bluetooth firmware.
At the top range of the bounty program are $15,000 rewards for critical bugs tied to Snapdragon cellular modems. Rewards of $9,000 are tied to ‘critical’ Trusted Execution Environment, or TEE, and bootloader vulnerabilities. Security vulnerabilities rated ‘high’ payout between $5,000 and $4,000. Vulnerabilities considered ‘medium’ and ‘low range’ offer rewards of $2,000 to $1,000.
Not eligible, are issues tied to OEM modifications, some denial of service issues and bugs tied to PC software such as USB drivers, according to HackerOne. Qualcomm said the rewards program is effective starting November 17.
Qualcomm’s bug bounty program comes on the heels of this summer’s revelation of four massive vulnerabilities, dubbed Quadrooter, which impacted over 900 million smartphones running Qualcomm chipsets. Security research firm Check Point discovered the vulnerabilities and said they could allow an attacker to elevate privileges on top Android handsets and give an attacker complete control over targeted devices. In October, Google released the last in a series of patches addressing the vulnerabilities.