Blackphone, Silent Circle Launch Bug Bounty Programs

Security researchers can earn a minimum of $128 by reporting vulnerabilities in the privacy-focused Android-based phone Blackphone and Silent Circle’s secure communications services.

SGP Technologies, the joint venture between Geeksphone and Silent Circle responsible for the development of Blackphone, announced today the launch of two bug bounty programs via the Bugcrowd platform.

For the Silent Circle program, security researchers are encouraged to find and responsibly disclose vulnerabilities in the company’s endpoint applications on supported operating systems, and network services and cloud infrastructure. Many researchers will be pleased to learn that the bug bounty also covers associated websites and Web services.

The Blackphone bug bounty program covers PrivatOS, including available updates and integrated applications, Blackphone update servers, and associated Web portals.

The list of issues excluded from the bug bounties includes descriptive error messages, brute-force or account lockout flaws on login and password recovery pages, clickjacking, self-XSS, and logout CSRF.

While the standard reward is $128 per flaw, Blackphone and Silent Circle will hand out amounts based on the severity of each reported vulnerability. It is also worth noting that both programs require that researchers ask for explicit permission before disclosing the results of a submission.

“We have high expectations for security and privacy. In order to deliver on our expectations we must continually build a strong relationship with the security research community,” said Daniel Ford, CSO of SGP Technologies.

“Ensuring the privacy of its users is at the core of what do, making security of the utmost importance,” noted Toby Weir-Jones, the company’s CEO.  “By launching our Bugcrowd bug bounty program, both companies are assuring their customers that their smartphone and communication software is subjected to the latest testing and assessment techniques, while providing a form of compensation for successful contributors.”

Many organizations have launched bug bounty programs recently, including social media networks Twitter and Pinterest.

“Companies are learning that if you’re going to win at cybersecurity, you’re not going to do it alone. It’s not the smoothest of roads having companies transition from being openly hostile to hackers of any shade of hat, to being open to outside help from those who offer it, but ultimately the more eyes there are on the problem, the more likely it will get found and fixed before it’s exploited,” Casey Ellis, CEO of Bugcrowd, told SecurityWeek.

While many experts agree that responsible disclosure is heading in the right direction, some point out that there are still a number of issues that need to be addressed.

“The software vendor mindset towards vulnerability disclosure continues to evolve from ‘criminal’ to ‘helpful’ but I don’t think we’ve reached the point where anyone can comfortably submit a vulnerability to any vendor,” Tal Klein, VP of Strategy for Adallom, told SecurityWeek. “Some, like Google and Microsoft, are doing a good job of setting the pace, and companies like Bugcrowd are making it easier to manage the process, so we’re moving in the right direction, but the road is dark and full of terrors.”

“I think the next evolution of responsible disclosure will need a governing body that sets appropriate deadlines (and maybe payouts) for vulnerability disclosure by interfacing between researcher and vendor on metrics like severity, likelihood of exploitation, and impact to the vendor’s business,” Klein explained.