Running a bug bounty program for Huawei

Company: Huawei

Client in lead: David Calligaris

UMCG Zerocopter

Chinese technology company Huawei (pronounced as ghwɑ-wej) is one of many companies that relies on our expertise and security researchers for running bug bounty programs. We spoke to David Calligaris from Huawei on this topic and of course, the cooperation with Zerocopter.

“I can say that we want to extend the bug bounty program to other Huawei products in the future”

Background

Huawei started a bug bounty program trial two years ago in China, followed by a rollout in Europe halfway through 2019, executed by David and his team along with the help of Zerocopter. Part of this roll-out was an event in Germany where the program was presented and where the best European security researchers were invited to join. Currently, the Huawei bug bounty program is still under development and ‘invite-only’.

David, what are you and your team (currently) working on at Huawei?

“I’m part of the internal security testing team and it’s our job to do vulnerability research and penetration testing on Huawei products. Every big company has these kinds of teams, but at Huawei, it’s kind of special since we’re working on new technologies and products that are not on the market yet. While this is unique, it definitely makes our job even more challenging. Currently, my team and I are working on fuzzing (software testing) and variant analysis, and since last year we have been triaging the vulnerabilities that have been reported through the bug bounty program."

Want to know everything about Zerocopter?

Download our brochure
Want to know everything about Zerocopter?

“We’re not afraid of spending even more, because we are very keen on making our products as secure as possible”

The European part of the Huawei bug bounty program trial is now ten months underway. How has it gone so far?

"We are very happy with it. We’ve received submissions from many security researchers and we hope to continue on this foot. It is amazing, with the bug bounty program we are getting in connection with skills on the full mobile phone stack from low-level (e.g. Baseband) and high-level vulnerabilities (e.g. java mobile apps). We get vulnerabilities from people that develop their own tools and methodologies and it is wonderful to connect with so many talented people and ideas.”

You started off with only a small group of bug bounty hunters: are you planning on expanding the group?

Yes, we also want to involve other security researchers in the program. It was for this reason that some of the security researchers from the Zerocopter platform have received an invitation token to encourage peers to join our bug bounty program. We will continue with this approach.”

And what is the reason you started off with a small group?

“We wanted to create a good system built around the bug bounty program that makes the security researchers happy to work on it. And we wanted to have all the conditions in place to make the program successful, like time of response, reward, clearness of the bug bounty briefing, policy on duplicates, etcetera. The only way to have a good bug bounty program is to have a fair approach with the researchers. Some of them are doing bug bounties as a full-time job and the time invested should be properly rewarded. I can say that we want to extend the bug bounty program to other Huawei products in the future.”

What future products do you have in scope?

“We want to extend the bug bounty program to other products and services, and hope to do so very soon. We will send invitations to a selected group of security researchers in our network of connections and from here we will select people on the Zerocopter platform based on their skills and send them an invitation. What I can say is that we have our eye on devices like Huawei TV and Huawei Mobile Services (HMS).”

Do you plan to make the bug bounty program public?

“Yes, it’s on the roadmap but we have not set a clear ‘release’ date.”

Are you also observing the cooperation between the participating security researchers?

“Throughout the program, we have seen researchers teaming up. We have people that develop their own fuzzers and harness that are teaming up with people that have experience in crash analysis and specific detailed knowledge.”

A question that everybody is curious to know the answer to: how much money have you spent on bug bounty rewards at this point?

“Unfortunately I can’t disclose the exact amount, but what I can say is that we’ve already spent quite an amount on rewards. We’re not afraid of spending even more, because we are very keen on making our products as secure as possible.”

Edwin van Andel, our CEO, is an avid supporter of Club-Mate, has he already convinced you to drink it?

“Certainly not. If I want caffeine, I only drink Italian espresso. Maybe one day I will drink my first Club-Mate with Edwin when I’ll be in Amsterdam”

Thanks David!

Zerocopter Read the Survival Guide

Download our brochure

Get to know everything about Zerocopter