Blackphone offers hackers bucks for bugs

Blackphone and communications security firm Silent Circle are offering hackers US$128 per security-related vulnerability found in its mobile operating system and associated platforms in a new bug bounty program.
Written by Leon Spencer, Contributor

Blackphone and Silent Circle today announced the launch of a bug bounty program, offering hackers US$128 per security-related bug found in its modified Android PrivatOS operating system, update servers, cloud infrastructure, websites, and associated web services.

The Silent Circle program encompasses the client apps, network services, cloud infrastructure, websites, and web services. Silent Circle will pay a minimum of US$128 per security related bug.

Meanwhile, the Blackphone program also offers a US$128 bug bounty, and encompasses PrivatOS, update servers, and associated web portals.

The program stipulates a number of rules that contenders must follow in order to be eligible for the bounty. These include that the contender must be the first to report a vulnerability, and that the vulnerability must be a "qualifying vulnerability".

Additionally, the companies can't be legally prohibited from rewarding a contender; the vulnerability cannot be publicly disclosed prior to the implementation of a resolution; and the hacker cannot be an employee of the companies.

"We have high expectations for security and privacy. In order to deliver on our expectations we must continually build a strong relationship with the security research community," said Blackphone and Silent Circle chief security officer Dr Daniel Ford.

The US$629 Blackphone began shipping in June, and is billed as a consumer-grade smartphone created through a joint venture between encryption specialist Silent Circle, Geeksphone, and SGP Technologies.

The handset uses a tailored Android operating system, dubbed PrivOS, and features remote wiping tools and subscriptions to encrypted communication apps including Silent Phone and Silent Text.

The Blackphone is being positioned in the market as a competitor to Research in Motion's BlackBerry offering, which has retained customers within professional security, government, and some business circles, despite dropping off in the consumer stakes.

The Blackphone's introduction to the market has seen criticism from BlackBerry, with a post on the company's official blog stating that the only similarities the two companies share "end with the name".

BlackBerry says the Blackphone is consumer-driven, and "appears to be designed to operate outside the realm of IT oversight."

SGP Technologies chief executive Toby Weir-Jones posted a response criticising his "friends" at BlackBerry, stating that while the company is willing to extol its own virtues at Blackphone's expense by calling the handset "inadequate" for business users, BlackBerry had no problem "compromising its integrity" if sufficient government pressure was applied.

Meanwhile, Blackphone is working to sell its security credentials into a market that sees both Apple's iOS 8, and Google's soon-to-be-released Android L operating systems introduce default encryption, with the on-device decryption key protected by the user's pass code.

One of Blackphone's primary selling points has been on-board default government and enterprise-level encryption technology.

The Blackphone and Silent Circle bug bounty program comes as Microsoft launches a cloud bug bounty program, beginning with Office 365, with the minimum payment for a qualifying bug starting at US$500.

Editorial standards