Qualcomm has called for a bug bounty program attracting researchers to submit reports regarding security flaws in their Snapdragon processors, LTE modems, and hardware.
Administrated by HackerOne, the program was announced on Thursday. Qualcomm claims this is the “first of its kind” by a major silicon vendor. Snapdragon processors mainly employed in mobile devices like tablets and smartphones, alongside LTE modems and such related technologies.
Qualcomm’s vulnerability rewards program primarily focuses on the entire range of Snapdragon processors. However, details regarding what types of security flaws Qualcomm is particularly interested in are low as of now. But on official bug bounty’s page, Qualcomm asks researchers to submit details in their reports about the vulnerability types. The buffer overflow or integer overflow bugs, the potential impact of a problem, such as remote code execution or information leaks to name a few.
Besides that, the company asks for researchers to provide version lists of affected product, instructions about how to reproduce attacks and proof-of-concept (PoC) examples. Researchers with valid security flaws can earn up to $15,000, and accolades will also be given through CodeAuroraForum Hall of Fame or Qualcomm’s QTI Product Security.
“The most security conscious organizations embrace the hacker community’s critical role in a comprehensive security strategy. With this program, they will continue to build vital relationships with the external security researcher community and supplement the great work their internal security team is doing,” says, Alex Rice, chief technology officer of HackerOne.
Qualcomm’s vulnerability rewards program isn’t yet opened for all participants. On the other hand, Qualcomm works out on the finer details. Approximately 40 researchers will be invited to join in who have been approached the company earlier with vulnerability disclosures.
“The invite-only decision was made to keep Qualcomm’s options open. But if someone outside felt like they had a good vulnerability, they should feel free to reach out,” says, Alex Gantman, vice president of engineering.
Qualcomm says it hopes to patch up the vulnerabilities and disclosed flaws within 90 days.