Security News > 2023 > February > QNAP starts bug bounty program with rewards up to $20,000

QNAP Systems, the Taiwanese manufacturer of popular NAS and other on-premise storage, smart networking and video devices, has launched a bug bounty program.

QNAP's NAS devices, in particular, have been getting hit in the last few years by information-stealing malware, bitcoin-mining malware, and ransomware, usually delivered by exploiting vulnerabilities.

"Our security bounty program only accepts security vulnerabilities in QNAP products and services. Out-of-scope vulnerabilities will not be eligible for a reward, with exceptions made for out-of-scope reports of critical vulnerabilities depending on the situation," the company notes.

As is usual with these types of programs, the bounties are higher if the report is clear and well-written, if testing code, scripts and detailed instructions are included, and if the reporter also includes a proposed fix.

Participants in the program are expected not to disclose or publish the contents of their report(s) until QNAP publishes a security advisory about it and/or otherwise gives permission for publication.

"After we confirm the integrity, you will receive a vulnerability confirmation from the PSIRT team. This will include the vulnerability's CVE ID and CVSSv3 Score. The proposal for amount of reward will be sent 4 weeks after the weakness confirmation. If you agree with the proposal, the reward will be transmitted within 12 weeks after receiving a reply."

News URL

https://www.helpnetsecurity.com/2023/02/27/qnap-bug-bounty-program/