Netgear partnered up with Bugcrowd to offer between $150 and $15,000 to researchers who find security flaws in its hardware, mobile apps, and APIs.
The partnership was made shortly after critical vulnerabilities were discovered in several Netgear routers. These problems would have allowed someone to take over the affected devices with a malicious web page or advertisement--which could in turn have given them a legion of bots that could be used for attacks on popular services. The issues were discovered by "Acew0rm" in August 2016; Netgear didn't respond to the vulnerabilities until December.
That failure to patch the affected routers stemmed from a simple mistake: Netgear didn't notice Acew0rm's email about the problem. This led Acew0rm to go public with the vulnerability, which captured the company's attention but also showed attackers how to compromise the affected routers. Such is the double-edged sword of public disclosure. Often it helps prod companies into fixing problems, but in the meantime, consumers are left vulnerable.
This is what a Netgear spokesperson told Tom's Hardware at the time:
This vulnerability, which has come to be referred to as VU 582384 was overlooked in our review process. We initially became aware of this vulnerability last Friday, December 9th, when CERT emailed us, and because we had no record of a prior report, began our standard process of validating prior to making any public statements. Once it had been disclosed that the first notification occurred in August, we conducted a search and confirmed this was the case. Admittedly, this was an oversight on our part. While no security reporting system is perfect, we aim to do better, and are evaluating how to improve our response process.
Creating a bug bounty program is certainly one way to respond to this problem. These initiatives have become increasingly popular as more companies recognize that their products are under constant attack. They aren't just limited to software companies-- manufacturers like Qualcomm, auto companies like Fiat Chrysler, and even the European Parliament are just a few of the organizations that recently introduced or expanded bug bounty programs.
Here's Netgear vice president of information technology Tejas Shah on the program:
As the innovative leader in connecting the world to the internet, NETGEAR must earn and maintain the trust of their users by protecting the privacy and security of their data. Being proactive when it comes to security is fundamental to NETGEAR’s approach. By adding a managed bug bounty program through Bugcrowd, we are adding one more layer to our security program.
Researchers interested in poking around Netgear's systems for fun and profit can find out how to do so on Bugcrowd's website. Given how critical routers are to most consumers, and how popular Netgear's products are, this program could have a profound impact on digital security. At the very least it could help make sure people's routers aren't being used to conduct attacks on big websites, critical services, and other infrastructure.