Huawei starts an invite-only Bug Bounty Program for its Android phones with payouts exceeding Samsung and Google
Software security is a big priority for most large smartphone makers, and while developing software, it is almost guaranteed that a few bugs or vulnerabilities slip through the cracks. Catching every issue ahead of time is basically impossible. Because of this, companies often have bug bounty programs encouraging security researchers to find and report exploits. The person or team that manages to successfully find, reproduce, document, and disclose said exploit or vulnerability can get a sizable amount of money depending on the severity of the issue.
Huawei, which is currently under a lot of scrutiny after the U.S. trade ban, is looking to convince the world that they’re serious about security. To that end, the company is opening up a bug bounty program of its own, as was announced during a private event held in Munich, Germany last week. Huawei invited some of the top security researchers to the event where the announcement was made. We previously learned of Huawei’s Vulnerability Rewards Program last December, but it seems that the program was only open in China. On the other hand, this new program seems to cater to the international cybersecurity community.
The structure of this new program is similar to other companies’ offerings, but the payouts are higher. Uncovering a bug deemed Low severity can net you up to €1,000, and if you discover a Critical vulnerability involving remote code execution in a privileged process, you may be eligible for up to a €200,000 payout. Eligible devices include the Android smartphones in the Mate, P, Nova, Y9, and Honor devices, though Huawei’s HarmonyOS isn’t currently covered under the program. Because Huawei’s payment structure is based on Euros instead of US dollars, their payouts are higher than those from Samsung and Google. The latter two companies offer a maximum $200,000 payout, while the €200,000 maximum payout from Huawei is nearly $221,552 at the time of this writing.
Huawei just announced private Mobile Bugbounty for Europe. It was amazing to see all the security researchers in one room. Great venue and organization. Now, time to hack! pic.twitter.com/wrWmYWLXnb
— Rado RC1 (@RabbitPro) November 16, 2019
However, this program is currently invite-only. Therefore, only security researchers invited by Huawei into the program are eligible for payouts. Invited researchers are able to give tokens to invite other researchers into the program, though. Initiatives like this will help make Huawei products more secure and demonstrates to the cybersecurity community that Huawei is taking security seriously.
We reached out to Huawei for more details on this program and will update this article if we learn more.