Researchers invited to test for flaws under new YesWeHack platform

Chinese phone manufacturer ZTE launches public bug bounty program

UPDATED Mobile phone manufacturer ZTE has announced it has launched a public bug bounty program offering up to €2,000 ($2,300) for security vulnerabilities.

The program, launched in partnership with French vulnerability disclosure platform YesWeHack, invites researchers to look for security flaws in ZTE products.

A press release published last night (October 11) detailed several in-scope product categories, including ZTE’s 5G Common Core network, 5G NR broadcast tech, and fixed network, along with multimedia, cloud video, cloud computing, database management systems, and terminal products.

ZTE web applications and other devices not listed on YesWeHack’s website are out of scope.

Publicly available

A spokesperson for YesWeHack told The Daily Swig that the program is an expansion of a private offering for invite-only researchers.

The program invites both individuals and groups of up to five to participate. The biggest rewards are for critical bugs including remote code execution.

Read more of the latest bug bounty news

Kevin Gallerin, APAC managing director at YesWeHack, told The Daily Swig: “With major operators launching new 5G services around the world and an increasing number of devices accessing the network, handset security is of particular interest.

“Handset vulnerability can be extremely sensitive as they could lead to breach of confidentiality, allowing an attacker to access everything on the handset from photos to private information, so making them secure is vital to protecting personal and business data."

Zhong Hong, chief security officer at ZTE, said: “Through openness and transparency, we try to give our customers confidence by letting them see what we do and how we provide end-to-end security.”

Hong added: “Our partnership with YesWeHack will help to enhance the security of ZTE’s products and confront new challenges brought by the 5G network commercialization.”

This article has been updated to include further comment.

YOU MAY ALSO LIKE OWASP toasts 20th anniversary with revised Top 10 for 2021