Huawei opens a Vulnerability Reward Program with a max payout of ~$143,000
Mobile security is important for a number of reasons, no less because most of our personal lives now reside on our smartphones. From photographs to social media, anybody with malicious access to your device could, in theory, cause a number of problems in your life. That’s why it’s important to make sure you have the latest security patches and to be sure not to install anything that could steal your data or damage your phone. While some vulnerabilities are in AOSP, some vulnerabilities may be in the custom software used by device OEMs like EMUI. As such, Huawei has opened up the vulnerability reward program in partnership with 360 Mobile Security that has a maximum payout of RMB 1 million (roughly $143,000) should it be deemed serious enough once reported.
The partnership was announced at Huawei’s terminal security award program conference and is open to all invited security researchers. Zhou Mingjian, head of the 360 Mobile Security C0RE team, said that vendor drivers account for 90% of all vulnerabilities found in Android devices. He also said that the 360 C0RE team was responsible for the finding of 138 Android vulnerabilities in the past two years, a little more than 12% of all vulnerabilities found in that timeframe.
It’s a shame that the reward program is not open to any developer out there, but it’s a start and is a similar approach to what many other companies in the world have done in the past. While it’s not in the best interests of the development community, a bug bounty reward program often offers an incentive to developers to release their exploits to the company involved rather than the developer community, thanks to monetary gain. Obviously, it’s also generally better for consumers as it means vulnerabilities get patched as well. It’s unknown if Huawei intends to expand the program, or if they will announce it in the west or not.