Squashing bugs of the software kind is no easy task. It is logistically impossible for developers to find and fix all possible bugs but users and customers do expect them to cover the most critical ones. On the flip side, developers and companies can only hope that users report the bugs they come across rather than exploit them for personal gain. That doesn’t always happen, which is why bug bounties were born. Now OnePlus is opening not one but two such programs to stop this year’s two massive breaches from happening again.
There is a saying in open source circles that goes something like “more eyes make all bugs shallow”. The problem in practice, however, is that those eyes don’t often report the bugs. Worse are those that use the discovered knowledge to earn a quick buck or two. But what if you actually get paid for discovering and disclosing those bugs through proper channels?
Bug bounty programs such as OnePlus’ new Security Response Center do exactly that, promising monetary rewards for disclosure and even more for fixes. OnePlus is offering rewards between $50 and $7,000 depending on the severity of the bug reported. It doesn’t, however, disclose yet the criteria for that system.
OnePlus doesn’t stop there, though. As it promised last month, it has partnered with a professional security platform, namely HackerOne, to get more pros testing its systems. That program won’t go public until 2020 but a private pilot is already in the works. Details about that program are still hush-hush, of course.
OnePlus’s bug bounties don’t just cover its smartphones as some might presume but all of OnePlus’ systems, including its website and forums. This is in response to two incidents in January and November that where customer data was pilfered from its website rather than from smartphones.