Qualcomm launches bug bounty program for Snapdragon chips, modems

The worst security flaws reported by researchers can net rewards of up to $15,000.
Written by Charlie Osborne, Contributing Writer

Qualcomm has launched a bug bounty program to entice researchers to submit reports on security flaws in Snapdragon processors, LTE modems, and hardware.

The program, administered by HackerOne, was announced on Thursday in what Qualcomm says is the "first of its kind" to be announced by a major silicon vendor.

Qualcomm's vulnerability rewards program focuses on the Snapdragon processor range, used to power mobile devices such as smartphones and tablets, alongside LTE modems and "related technologies."

Details are thin on the ground at the moment in relation to what types of security flaws Qualcomm is particularly interested in, but on the bug bounty's page, the company asks researchers to submit details in their reports including vulnerability types -- such as buffer overflow or integer overflow bugs -- and the potential impact of a problem, such as remote code execution or information leaks.

In addition, Qualcomm asks for researchers to provide affected product and version lists, instructions on how to reproduce attacks, and proof-of-concept (PoC) examples.

Researchers can earn up to $15,000 for valid security flaws and will also be given accolades through Qualcomm's QTI Product Security or the CodeAuroraForum Hall of Fame.

"The most security conscious organizations embrace the hacker community's critical role in a comprehensive security strategy," said Alex Rice, chief technology officer of HackerOne. "With Qualcomm Technologies' vulnerability rewards program, they will continue to build vital relationships with the external security researcher community and supplement the great work their internal security team is doing."

See also: Bug bounties: 'Buy what you want'

The program is not yet open to all participants, however. While Qualcomm works out the finer details, approximately 40 researchers which have approached the firm in the past with vulnerability disclosures will be invited to join in -- and earn rewards from today.

Alex Gantman, vice president of engineering at Qualcomm, said the invite-only decision was made to "keep [Qualcomm's] options open," but if "someone outside felt like they had a good vulnerability, they should feel free to reach out."

Qualcomm says the company hopes to patch disclosed flaws and vulnerabilities within 90 days.

In August, Panasonic launched a bug bounty program focused on the company's avionics technologies; in particular, in-flight entertainment systems.

The 10 step guide to using Tor to protect your privacy

Editorial standards