Bug bounty programs are the deal of the season. Almost every organization is offering exclusive programs to white hat hackers and security researchers in order to identify potential security flaws in their networks, operating systems and other devices. Many websites and software developers are now coming up with attractive bug bounty programs through which upcoming hackers can receive recognition and also make quick money by reporting bugs pertaining to vulnerabilities and exploits.
Through these programs, developers not only discover but also fix the reported bugs before the public gets a hint about it thereby preventing instances of widespread exploitation. So far many bigwigs of the computer and tech world have adopted this strategy namely Facebook, Google, Yahoo, Microsoft, Reddit and Square. Netgear is the latest to join the bandwagon.
We have already written about the latest study from Carnegie Mellon University’s public vulnerability database (CERT), in which it was revealed that Netgear routers R7000 and R6400 and some other models are vulnerable to command injection flaw. The vulnerability, if exploited by malicious threat actors, can help them in obtaining root privileges after which they will be free to run arbitrary commands. The code for exploiting Netgear routers’ vulnerability is also released online and this aspect makes the situation a lot more worrisome for the company.
This is why Netgear has decided to launch its first bug bounty program through which other vulnerabilities in the company’s routers could also be identified before anyone exploits them. The company stated in its latest post announcing the bug bounty program that:
“We are constantly monitoring our products to get in front of the latest threats. Every day new security issues develop. NETGEAR strives to keep up-to-date on the latest security developments by working with both security researchers and companies. This program encourages and rewards contributions by developers and security researchers who help make NETGEAR’s products more secure. Through this program, NETGEAR provides monetary rewards or points for security vulnerabilities responsibly disclosed to us.”
NETGEAR vice president of information technology Tejas Shah said, “As the innovative leader in connecting the world to the internet, NETGEAR must earn and maintain the trust of its users by protecting the privacy and security of their data. Being proactive when it comes to security is fundamental to NETGEAR’s approach. By adding a managed bug bounty program through Bugcrowd, we are adding one more layer to our security program.”
Casey Ellis, CEO and founder, Bugcrowd told HackRead that, “With the white hat hacker community in their corner, NETGEAR is cementing their position as the leader in consumer device security,” said Casey Ellis, CEO and founder of Bugcrowd. “We look forward to managing NETGEAR’s program and ensuring they get the best possible results to help them improve their security posture and build even more secure products.”
Netgear’s Bug Bounty program, titled “NETGEAR Responsible Disclosure Program” is launched exclusively for identification of security flaws in Netgear products and associated services. Other aspects like marketing websites or support, etc., are out of the program’s scope unless it is included in the domain of Netgear.
The company has presented 2 types of security flaw disclosure programs namely the Kudos Program and Cash Reward Program. The Kudos Program will offer rewards in points and is strictly limited to issues pertaining to the latest version of the software. The Cash Reward Program offers rewards in US Dollars and involves identification of security vulnerabilities in some of their products. Participants are required to report bugs as soon as they are identified; the bugs may be used in the form of chain submission at any time in the next 6 months.
The scope of NETGEAR’s bug bounty program includes NETGEAR’s devices, mobile applications, and exposed APIs with potential rewards ranging from Bugcrowd points to $150 – $15,000 USD per bug identified.
There are certain bugs that are excluded from the bug bounty program, which include Netgear AWS infrastructure attacks, automated scanning attacks, social engineering including phishing, DDoS attacks, usability issues, UI and UX bugs, spelling errors, product license violation, previously identified security flaws, flaws resulting from malware, missing MX records or SPF records and low impact issues, etc.
The company is only interested in getting hands-on high impact issues, which is why only the latest versions of all of its products and software are required to be inspected. The full list of products that can be examined in this bug bounty program can be viewed here.