OnQ Blog

Inside Qualcomm Technologies' Vulnerability Rewards Program

The Qualcomm Vulnerability Rewards Program just completed its second year, and to mark the occasion we are sharing some insights into the program, how it has evolved, and how you might play a part.

If you are not familiar, a vulnerability reward, or “bug bounty” program, offers money to people who report security problems in a company’s products and services. Qualcomm Technologies launched our vulnerability rewards program on November 17, 2016 and received our first submission within a few hours. In the two years since, we’ve paid out nearly 350 bounties to many talented and dedicated researchers, totaling over $750,000. Impressively, more than $200,000 of this amount has gone to our single highest-earning researcher.

From submission to publication, the incident response process can take several months. We’d like to provide a high-level overview of “how the sausage is made” because participants often ask why it takes so long. When we receive a bug report, one of our incident response engineers begins an analysis. This review determines whether the issue is novel, valid, and ultimately warrants an update or fix by Qualcomm Technologies. If so, we file a bug report in our internal systems and work with development teams to create a patch and propagate it to the impacted code branches and products. Then we create an issue signature and enter it into our build infrastructure to ensure that we stop shipping code with the issue. When all this is in place, we notify our customers and partners in the mobile ecosystem to ensure they have time to test and deploy the fixes. Phew! Finally we publish the fixes in an appropriate security bulletin and credit the researchers in the appropriate hall of fame.

Let’s dig into into the three aspects of our review listed above. First, we look at whether the code is owned by Qualcomm Technologies. When we receive reports for code that is not authored by us, we are happy to forward the report as appropriate or direct the reporter to the correct bug bounty program if possible. Next, we check that the bug is valid, meaning that it impacts at least one device powered by a product that’s in our program’s scope, and for some less-severe reports, that the reporter provides a working proof-of-concept for the bug. Lastly, we consider novel, which of course means that the report must be something we are not already aware of, but there’s some subtlety to consider. When we receive a report and determine that it’s valid, we perform a gap analysis, digging through our code to find any other instances of that precise code pattern and any variations we can identify. It’s important to note that this search happens for a given report before we look at any other reports that have already been submitted. This means that only the first of a set of closely related reports is likely to be awarded. The chart below shows the security ratings and categories we’ve assigned to all the vulnerability reports received through November 2018. It’s interesting to note that only about 40% of the reports wound up meeting the criteria described above.

Qualcomm Vulnerability Rewards Program security ratings and categories

Qualcomm Vulnerability Rewards Program security ratings and categories

We operate our vulnerability rewards program on an invitation-only basis. This allows us to work closely and build exceptional relationships with our researchers — three of which we’ve been fortunate enough to hire onto our team. We are nonetheless always looking for additional skilled researchers to poke around our products. If you would like an invitation to the program, please send us a message at product-security@qualcomm.com and let us know why we’re missing out: show us a CVE or two, a talk you’ve given, or a paper you’ve published. We’ll take a look and send out an invitation if we think you’re a suitable candidate.

Overall, we believe the Qualcomm Vulnerability Rewards Program has been a success so far, but things are changing to get even better. While we started with only mobile devices in scope, we’ve recently added one of our Wi-Fi access point platforms, so there’s more to look at now than ever. We plan on continuing to expand the program to other segments — ensuring that our customers and ultimately consumers, have the best experience possible when using our products. Stay tuned and happy hunting!

Opinions expressed in the content posted here are the personal opinions of the original authors, and do not necessarily reflect those of Qualcomm Incorporated or its subsidiaries ("Qualcomm"). Qualcomm products mentioned within this post are offered by Qualcomm Technologies, Inc. and/or its subsidiaries. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Qualcomm or any other party. This site may also provide links or references to non-Qualcomm sites and resources. Qualcomm makes no representations, warranties, or other commitments whatsoever about any non-Qualcomm sites or third-party resources that may be referenced, accessible from, or linked to this site.