Qualcomm launched a bug bounty program to encourage hackers to disclose vulnerabilities in its processors, LTE modems, and other hardware.
The program will offer up to $15,000 per vulnerability. Qualcomm said it is the first major semiconductor vendor to announce a program like this, and the company is working with the HackerOne platform to make sure everything goes off without a hitch. If this program is successful--and other hardware companies follow in Qualcomm's footsteps--future smartphones could be more secure than any of their currently available counterparts.
The company is quick to note in its announcement that it won't rely exclusively on other security experts to find problems with its security:
“We have always been proud of our collaborative relationship with the security research community. Over the years, researchers have helped us improve the security of our products by reporting vulnerabilities directly to us,” said Alex Gantman, vice president, engineering, Qualcomm Technologies, Inc. “Although the vast majority of security improvements in our products come from our internal efforts, a vulnerability rewards program represents a meaningful part of our broader security efforts.”
But offering financial rewards to researchers encourages them to examine Qualcomm's products and disclose any vulnerabilities they find. The alternative could be inattention from security experts or, worse, someone finding a security flaw and selling it to the highest bidder. That isn't unheard of: In 2015, a company called Zerodium offered $1 million to anyone who could find vulnerabilities that would bypass the security features of iOS 9.
That's why more companies are paying security experts, researchers, and hackers to point out the flaws in their products. Because many of these programs focus on software, though, more people might be inspired to look for vulnerabilities in the hardware itself. Qualcomm's bug bounties could help the company's products stand up to the increased interest and ensure that a phone's hardware won't allow it to be compromised via cyberattacks.
Here's the list of hardware products Qualcomm wants experts to examine:
Snapdragon 400 Snapdragon 615 Snapdragon 801 Snapdragon 805 Snapdragon 808 Snapdragon 810 Snapdragon 820 Snapdragon 821 Snapdragon X5 Modem Snapdragon X7 Modem Snapdragon X12 Modem Snapdragon X16 Modem
The bug bounty program is currently limited to 40 security experts who have disclosed vulnerabilities in these products before, but Qualcomm and HackerOne will invite more researchers to participate in the program over time. Anyone interested in the particulars about the program, such as how much Qualcomm will pay for specific vulnerabilities or how to report any bugs to the companies, can find them on the HackerOne website.
