Blackphone Launches Bug Bounty to Crowdsource Security

Blackphone and Silent Circle are going on a bug hunt and want your help. The two companies have officially kicked off a bug bounty program, which will reward those who can crack their code with real-world money. The company prides itself on its security and wants to be able to better protect its customers. It believes the bounty will help it fill in any remaining holes.

The Blackphone was developed by Geeksphone and Silent Circle. It launched earlier this year. Geeksphone is perhaps most well-known for supporting Firefox OS. Silent Circle, based in Washington, D.C., was formed by a former US Navy Seal and it provides encrypted communications services.

The Blackphone runs a modified version of Google's Android Platform called PrivatOS. The device is carrier- and vendor-independent. The backers of the device say it gives both regular people and businesses control over their privacy. For example, the Blackphone can make and receive secure phone calls, exchange secure texts, transfer and store files securely, and video chat without compromising user privacy on the device. Geeksphone made the hardware and Silent Circle provides all the Back-end Encryption that wraps everything up tightly.

"We have high expectations for security and privacy. In order to deliver on our expectations we must continually build a strong relationship with the security research community," said Dr. Daniel Ford, CSO of Blackphone and Silent Circle. Hence today's news of the bug bounty program.

Since Silent Circle runs all the encryption, it is managing the bug hunt. The hunt applies to all of Silent Circle's client apps, network services, cloud infrastructure, web sites, and web services. The company said it will pay a minimum bounty of $128 per security-related bug, but will increase that amount at its discretion depending on the severity of the bug uncovered.

There are some basic ground rules. For example, researches must be the first to discover and report a specific vulnerability if they want credit for it and the reward. Silent Circle has spelled out what is says are qualifying vulnerabilities. Silent Circle said researchers aren't allowed to publicly disclose the bug until after Silent Circle fixes it. Last, researches aren't allowed to work for Silent Circle, and must be able to legally accept the cash reward.

"Ensuring the privacy of its users is at the core of what do, making security of the utmost importance," said Toby Weir-Jones, CEO of Blackphone. "By launching our Bugcrowd bug bounty program, both companies are assuring their customers that their smartphone and communication software is subjected to the latest testing and assessment techniques, while providing a form of compensation for successful contributors."

Are you already cracking your knuckles in anticipation? If so, you can find all the pertinent details here.


Be sure to read the next Security article: Shellshock Bash Security Vulnerability Threatens the Internet