Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

12/15/2017
11:02 AM
50%
50%

Mobile Device Makers Increasingly Embrace Bug Bounty Programs

Samsung is the latest to join a small group of smartphone makers to cast their net wide on catching vulnerabilities in their devices.

With the rise of mobile threats and ubiquitous use of smartphones, mobile device makers are increasingly throwing their resources toward bug bounty programs to shore up the security of the devices.

Samsung, which holds the largest market share for Android devices, launched a bug bounty program earlier this year, offering up to $200,000 per vulnerability discovered, depending on its severity. It joined Apple, which launched its bug bounty program in 2016, as well as Google, which kicked off its Android Security Rewards Program in 2015. Silent Circle, which offers Blackphone, was the first mobile company to hold a bug bounty back in 2014.

"Is this a sign that mobile device makers are taking security more seriously? Absolutely," says Alex Rice, co-founder and chief technology officer of HackerOne. "It rises the tide for everyone and the ones that don't do it will look like outliers."

Bug bounties, which reward ethical hackers for finding vulnerabilities in software and hardware, have been around since Netscape kicked off the first one in 1995, but only recently have mobile device makers joined the pack.

Bug bounty programs can be offered and managed by companies that want to find vulnerabilities in their own products, or can be outsourced to a bug bounty company, such as HackerOne or Bugcrowd, to manage. Some bug bounty programs are public, while others are private invite-only affairs.

Catalyst for Change

It has taken mobile device makers awhile to offer bug bounty programs because they have had to wait for the mobile ecosystem to mature, Rice says.

"Mobile device makers are inter-connected with other partners," Rice explains. "They don't have control over the entire attack surface … If you're the manufacturer, you want to only offer a bug bounty program for something you can fix."

But with more partners in the mobile device stack offering bug bounty programs, such as chipset maker Qualcomm and Google's Android, it is easier for mobile device manufacturers to do the same, he says.

"Although only vulnerabilities that are specific to Samsung mobile devices or its apps are eligible for its program, at least now they have a cohesive story to where they can redirect [bug hunters] to other partners in their stack."

Another challenge for mobile bug bounty programs is finding enough researchers to participate in the programs, says Casey Ellis, founder and chief technology officer of Bugcrowd.

Three or four years ago, Bugcrowd had to inform and solicit the ethical hacker community to focus on mobile devices and to get in early on the ground floor, Ellis recalls. But, in some respects, it has been a tough sell.

"Mobile devices are harder targets than web and mobile apps, so in the bounty context, the hacker return on investment can draw folks away from them. That said, it’s an extremely valuable skill set and a rapidly growing attack surface," Ellis notes.

Mobile bug bounty hunters also face a challenge in getting access to all of the components in a device, which adds another layer of complexity and work, Rice says.

Hard Money, Soft Money

A discovery of a hardware vulnerability tends to pay out more than a software flaw in bug bounty programs, say bug bounty experts.

"Finding vulnerabilities in hardware often requires more research, time, and a rarer set of skills than bug finding in applications," Ellis says. "Because of this, hardware bugs are typically priced higher to reflect their impact and to incentivize talented researchers to join the hunt."

Rice noted vulnerabilities that allow remote code execution in trust environments also tend to yield the largest bounty payments.

Although Samsung, Google, and Apple all offer bounty rewards upwards of $200,000, depending on the severity of the vulnerabilities discovered, a HackerOne report notes the average payout for mobile critical vulnerabilities ranges from $383 per bug for the telecom industry to $2,015 for the technology industry.

"I expect to see the amount of bounties rise," Rice says. "I predict we'll see more players in the future and more coverage with the bounty programs for mobile devices and apps."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-11094
PUBLISHED: 2020-06-04
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as ...