ZTE widens bug bounty to focus on 5G security

Chinese networking equipment vendor is working with bug bounty platform YesWeHack to test a range of products that include 5G networking systems, smartphones, Internet of Things devices, and cloud systems.
Written by Eileen Yu, Senior Contributing Editor

ZTE has widened a bug bounty scheme to plug security vulnerabilities in its products, especially potential holes brought about by the launch of commercial 5G networks and services. The Chinese networking equipment vendor is working with bug bounty platform YesWeHack to test a range of products, including smartphones as well as cloud computing and database management systems. 

Having previously worked with YesWeHack on a private bug bounty programme that was open only to a few security researchers, ZTE's new bug bounty is public and available to YesWeHack's entire global network of more than 30,000 researchers to participate. They can be awarded up to €2,000 ($2,311) for each bug uncovered, with the final amount awarded depending on the severity level. 

YesWeHack researchers currently are based in 170 countries worldwide. When ZDNet spoke with its Asia-Pacific managing director Kevin Gallerin in July, the bug bounty platform worked with 10,000 security researchers in this region. 

In a statement Monday, YesWeHack said the deployment of 5G networks had further underscored the importance of cybersecurity in the telecoms industry, with such rollouts increasing potential attack surfaces and introducing new technologies and techniques into the threat landscape. 

"In addition, the ability of 5G to support massive Internet of Things (IoT) connectivity introduces many times more devices connected to the network, presenting a wide-reaching and increased attack surface," it said. 

ZTE's product portfolio spans handsets, mobile broadband, terminal chipset modules, and peripheral products. The bug bounty would enable the Shenzhen-based vendor to build a "sound cybersecurity governance structure" and "security assurance mechanism" across the entire product lifecycle, YesWeHack said.  

ZTE's chief security officer Zhong Hong said in the statement: "Through openness and transparency, we try to give our customers confidence by letting them see what we do and how we provide end-to-end security. Our partnership with YesWeHack will help to enhance the security of ZTE's products and confront new challenges brought by the 5G network commercialisation."

The ZTE bug bounty covers product categories such as the vendor's 5G Common Core fixed networking systems, 5G NR (New Radio) equipment, smart home and video IoT systems, and Axon and Blade smartphone series. 

ZTE has remained on the list of telecoms equipment barred from being purchased using the US Federal Communications Commission's (FCC) Universal Service Fund, after the US government agency In November rejected the Chinese vendor's request to be removed as a national security threat. 

The FCC last month set out its conditions for small carriers looking to be reimbursed for ripping out and replacing network equipment and services from ZTE and Huawei. Amongst the conditions it listed for access to the designated $1.9 billion in funds, the commission said eligible expenses included the cost of removing, replacing, and disposing of ZTE and Huawei equipment and services obtained on or before June 30 last year.  

The reimbursement scheme had been in the works for two years after the FCC officially labelled the two Chinese networking equipment vendors as national security threats in July 2020. 

GSMA has projected Asia-Pacific to be the world's largest 5G region by 2025, hitting 675 million connections -- or more than half of the global volume. However, the industry group revised its 2020 projection of 5G connections to be 20% lower than its previous forecast due to the global pandemic.  

It said the region's growth would be led by markets such as China, Japan, and South Korea, with mobile operators investing $331 billion in building out their 5G networks. GSMA further estimated that 24 markets across Asia-Pacific would have launched 5G by 2025, including China, where 28% of mobile connections would run on 5G networks and account for a third of the world's 5G connections. 

Related coverage

Editorial standards