Security Experts:

Connect with us

Hi, what are you looking for?



Blackphone, Silent Circle Launch Bug Bounty Programs

Security researchers can earn a minimum of $128 by reporting vulnerabilities in the privacy-focused Android-based phone Blackphone and Silent Circle’s secure communications services.

Security researchers can earn a minimum of $128 by reporting vulnerabilities in the privacy-focused Android-based phone Blackphone and Silent Circle’s secure communications services.

SGP Technologies, the joint venture between Geeksphone and Silent Circle responsible for the development of Blackphone, announced today the launch of two bug bounty programs via the Bugcrowd platform.

For the Silent Circle program, security researchers are encouraged to find and responsibly disclose vulnerabilities in the company’s endpoint applications on supported operating systems, and network services and cloud infrastructure. Many researchers will be pleased to learn that the bug bounty also covers associated websites and Web services.

The Blackphone bug bounty program covers PrivatOS, including available updates and integrated applications, Blackphone update servers, and associated Web portals.

The list of issues excluded from the bug bounties includes descriptive error messages, brute-force or account lockout flaws on login and password recovery pages, clickjacking, self-XSS, and logout CSRF.

While the standard reward is $128 per flaw, Blackphone and Silent Circle will hand out amounts based on the severity of each reported vulnerability. It is also worth noting that both programs require that researchers ask for explicit permission before disclosing the results of a submission.

“We have high expectations for security and privacy. In order to deliver on our expectations we must continually build a strong relationship with the security research community,” said Daniel Ford, CSO of SGP Technologies.

“Ensuring the privacy of its users is at the core of what do, making security of the utmost importance,” noted Toby Weir-Jones, the company’s CEO.  “By launching our Bugcrowd bug bounty program, both companies are assuring their customers that their smartphone and communication software is subjected to the latest testing and assessment techniques, while providing a form of compensation for successful contributors.”

Many organizations have launched bug bounty programs recently, including social media networks Twitter and Pinterest.

“Companies are learning that if you’re going to win at cybersecurity, you’re not going to do it alone. It’s not the smoothest of roads having companies transition from being openly hostile to hackers of any shade of hat, to being open to outside help from those who offer it, but ultimately the more eyes there are on the problem, the more likely it will get found and fixed before it’s exploited,” Casey Ellis, CEO of Bugcrowd, told SecurityWeek.

While many experts agree that responsible disclosure is heading in the right direction, some point out that there are still a number of issues that need to be addressed.

“The software vendor mindset towards vulnerability disclosure continues to evolve from ‘criminal’ to ‘helpful’ but I don’t think we’ve reached the point where anyone can comfortably submit a vulnerability to any vendor,” Tal Klein, VP of Strategy for Adallom, told SecurityWeek. “Some, like Google and Microsoft, are doing a good job of setting the pace, and companies like Bugcrowd are making it easier to manage the process, so we’re moving in the right direction, but the road is dark and full of terrors.”

“I think the next evolution of responsible disclosure will need a governing body that sets appropriate deadlines (and maybe payouts) for vulnerability disclosure by interfacing between researcher and vendor on metrics like severity, likelihood of exploitation, and impact to the vendor’s business,” Klein explained.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.