Company: Huawei
Client in lead: David Calligaris
Chinese technology company Huawei (pronounced as ghwɑ-wej) is one of many companies that relies on our expertise and security researchers for running bug bounty programs. We spoke to David Calligaris from Huawei on this topic and of course, the cooperation with Zerocopter.
“I can say that we want to extend the bug bounty program to other Huawei products in the future”
Huawei started a bug bounty program trial two years ago in China, followed by a rollout in Europe halfway through 2019, executed by David and his team along with the help of Zerocopter. Part of this roll-out was an event in Germany where the program was presented and where the best European security researchers were invited to join. Currently, the Huawei bug bounty program is still under development and ‘invite-only’.
“I’m part of the internal security testing team and it’s our job to do vulnerability research and penetration testing on Huawei products. Every big company has these kinds of teams, but at Huawei, it’s kind of special since we’re working on new technologies and products that are not on the market yet. While this is unique, it definitely makes our job even more challenging. Currently, my team and I are working on fuzzing (software testing) and variant analysis, and since last year we have been triaging the vulnerabilities that have been reported through the bug bounty program."
“We’re not afraid of spending even more, because we are very keen on making our products as secure as possible”
"We are very happy with it. We’ve received submissions from many security researchers and we hope to continue on this foot. It is amazing, with the bug bounty program we are getting in connection with skills on the full mobile phone stack from low-level (e.g. Baseband) and high-level vulnerabilities (e.g. java mobile apps). We get vulnerabilities from people that develop their own tools and methodologies and it is wonderful to connect with so many talented people and ideas.”
“Yes, we also want to involve other security researchers in the program. It was for this reason that some of the security researchers from the Zerocopter platform have received an invitation token to encourage peers to join our bug bounty program. We will continue with this approach.”
“We wanted to create a good system built around the bug bounty program that makes the security researchers happy to work on it. And we wanted to have all the conditions in place to make the program successful, like time of response, reward, clearness of the bug bounty briefing, policy on duplicates, etcetera. The only way to have a good bug bounty program is to have a fair approach with the researchers. Some of them are doing bug bounties as a full-time job and the time invested should be properly rewarded. I can say that we want to extend the bug bounty program to other Huawei products in the future.”
“We want to extend the bug bounty program to other products and services, and hope to do so very soon. We will send invitations to a selected group of security researchers in our network of connections and from here we will select people on the Zerocopter platform based on their skills and send them an invitation. What I can say is that we have our eye on devices like Huawei TV and Huawei Mobile Services (HMS).”
“Yes, it’s on the roadmap but we have not set a clear ‘release’ date.”
“Throughout the program, we have seen researchers teaming up. We have people that develop their own fuzzers and harness that are teaming up with people that have experience in crash analysis and specific detailed knowledge.”
“Unfortunately I can’t disclose the exact amount, but what I can say is that we’ve already spent quite an amount on rewards. We’re not afraid of spending even more, because we are very keen on making our products as secure as possible.”
“Certainly not. If I want caffeine, I only drink Italian espresso. Maybe one day I will drink my first Club-Mate with Edwin when I’ll be in Amsterdam”
Get to know everything about Zerocopter