Netgear Launches Bug Bounty Program With Bugcrowd

Netgear partnered up with Bugcrowd to offer between $150 and $15,000 to researchers who find security flaws in its hardware, mobile apps, and APIs.

The partnership was made shortly after critical vulnerabilities were discovered in several Netgear routers. These problems would have allowed someone to take over the affected devices with a malicious web page or advertisement--which could in turn have given them a legion of bots that could be used for attacks on popular services. The issues were discovered by "Acew0rm" in August 2016; Netgear didn't respond to the vulnerabilities until December.

That failure to patch the affected routers stemmed from a simple mistake: Netgear didn't notice Acew0rm's email about the problem. This led Acew0rm to go public with the vulnerability, which captured the company's attention but also showed attackers how to compromise the affected routers. Such is the double-edged sword of public disclosure. Often it helps prod companies into fixing problems, but in the meantime, consumers are left vulnerable.

This is what a Netgear spokesperson told Tom's Hardware at the time:

This vulnerability, which has come to be referred to as VU 582384 was overlooked in our review process. We initially became aware of this vulnerability last Friday, December 9th, when CERT emailed us, and because we had no record of a prior report, began our standard process of validating prior to making any public statements. Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.

Creating a bug bounty program is certainly one way to respond to this problem. These initiatives have become increasingly popular as more companies recognize that their products are under constant attack. They aren't just limited to software companies-- manufacturers like Qualcomm, auto companies like Fiat Chrysler, and even the European Parliament are just a few of the organizations that recently introduced or expanded bug bounty programs.

Here's Netgear vice president of information technology Tejas Shah on the program:

As the innovative leader in connecting the world to the internet, NETGEAR must earn and maintain the trust of their users by protecting the privacy and security of their data. Being proactive when it comes to security is fundamental to NETGEAR’s approach. By adding a managed bug bounty program through Bugcrowd, we are adding one more layer to our security program.

Researchers interested in poking around Netgear's systems for fun and profit can find out how to do so on Bugcrowd's website. Given how critical routers are to most consumers, and how popular Netgear's products are, this program could have a profound impact on digital security. At the very least it could help make sure people's routers aren't being used to conduct attacks on big websites, critical services, and other infrastructure.

TOPICS
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Latest in Cyber Security
GeForce RTX 3090
Akira ransomware can be cracked with 16 RTX 4090 GPUs in around ten hours — new counterattack breaks encryption
Crypto Hacker
FBI identifies North Korea as source of $1.5 billion ByBit hack
A broken lock on a PCB.
Apartment buildings broken into with phone in minutes — IoT-connected intercoms using default creds vulnerable to anyone with Google
Streamjackers want your digital treasures
CS2 fans targeted by Streamjackers — viewers swindled out of crypto and Steam valuables
Eight Sleep's Pod 4 Ultra Smart Bed
Security researcher finds vulnerability in internet-connected bed, could allow access to all devices on network
13th Generation Intel CPU
Intel roasts AMD and Nvidia in its latest product security report, claiming AMD has vulnerabilities with no fix planned, Nvidia has only high-severity security bugs [Updated]
Latest in News
The world's first color e-paper display over 30-inches
Mass production of 'world's first' color e-paper display over 30-inches begins
GlobalFoundries
China's SiCarrier challenges U.S. and EU with full-spectrum of chipmaking equipment — Huawei-linked firm makes an impressive debut
TSMC
Nvidia's Jensen Huang expects GAA-based technologies to bring a 20% performance uplift
Despite external similarities, the RTX 3090 is not at all the same hardware as the RTX 4090 — even if you lap the GPU and apply AD102 branding.
GPU scam resells RTX 3090 as a 4090 — complete with a fake 'AD102' label on a lapped GPU
Inspur
US expands China trade blacklist, closes susidiary loopholes
WireView Pro 90 degrees
Thermal Grizzly's WireView Pro GPU power measuring utility gets a 90-degree adapter revision
  • BoredSysAdmin
    It seems like a logical step towards improving security of their software, only in case of Netgear I predict their program would run out it's budget quiet soon. This would be like paying for Google Adwords for word "mesothelioma" to be top result, but having $10,000 campaign budget... (spoiler: budget won't last longer than one hour)
    Reply
  • cbsecurity
    Bug bounty programs are a great foundation for securing applications, particularly firmware. However, because of laws in the US that can potentially put white hat hackers in jail, the best results might not come from the bug bounties, but from actually hiring white hat/ethical hackers to perform testing under protection of the company. It's important not only for companies to look to these talented techs, but also to build knowledge and expertise in these areas internally.
    Reply
  • wifiburger
    any company that does these kinda of things you already know they have high paying salary staff with 0 skills when it comes to testing / engineering
    Reply