QNAP starts bug bounty program with rewards up to $20,000

QNAP Systems, the Taiwanese manufacturer of popular NAS and other on-premise storage, smart networking and video devices, has launched a bug bounty program.

QNAP’s NAS devices, in particular, have been getting hit in the last few years by information-stealing malware, bitcoin-mining malware, and ransomware, usually delivered by exploiting vulnerabilities.

About the QNAP bug bounty program

“Our security bounty program only accepts security vulnerabilities in QNAP products and services. Out-of-scope vulnerabilities will not be eligible for a reward, with exceptions made for out-of-scope reports of critical vulnerabilities depending on the situation,” the company notes.

Bug hunters should probe:

• QNAP’s operating systems (QTS, QuTS hero, QuTScloud)

– Rewards up to $20,000

• QNAP-developed applications (Helpdesk, License Center, Malware Remover, myQNAPcloud Link, Network & Virtual Switch, Notification Center, QTS SSL Certificate, QuLog Center, Resource Monitor, Qsync Central, HBS 3 Hybrid Backup Sync, Qboost, Mulitimedia Console, Media Streaming add-on, QVPN Service, Virtualization Station, Container Station, QuFirewall, Download Station, Video Station, Photo Station, QuMagie)

– Rewards up to $10,000

• QNAP cloud services (www.myqnapcloud.com, organization.qnap.com, amizcloud.qnap.com, license.qnap.com, www.qmiix.com, account.qnap.com, quwan.qnap.com) – Rewards up to $5,000

As is usual with these types of programs, the bounties are higher if the report is clear and well-written, if testing code, scripts and detailed instructions are included, and if the reporter also includes a proposed fix.

Participants in the program are expected not to disclose or publish the contents of their report(s) until QNAP publishes a security advisory about it and/or otherwise gives permission for publication. (If a company does neither and “sits” on the flaw indefinitely without fixing it, security researchers have been known to forego bounties and publish informations about discovered vulnerabilities.)

“After sending the PGP-encrypted email to security@qnap.com you will receive an auto-reply email with a ticket number which can be used to check our review progress. QNAP’s PSIRT team will contact you to confirm the integrity of the submitted information,” the company says.

“After we confirm the integrity, you will receive a vulnerability confirmation from the PSIRT team. This will include the vulnerability’s CVE ID and CVSSv3 Score. The proposal for amount of reward will be sent 4 weeks after the weakness confirmation. If you agree with the proposal, the reward will be transmitted within 12 weeks after receiving a reply.”