Taiwan-based QNAP Systems has announced a bug bounty program that offers rewards of up to $20,000 for vulnerabilities reported through the program. As a manufacturer of network-attached storage (NAS) and professional network video recorder (NVR) solutions, as well as various types of networking equipment, the company is interested in hunting for flaws in its applications, cloud services, and operating systems.
Under the program, vulnerabilities in operating systems are eligible for rewards of up to $20,000; applications and cloud services can earn a maximum of $10,000 and $5,000, respectively. To be considered for a reward, reports must not describe previously reported security defects, details about the flaw must not be publicly shared, and the issue must be replicable and validated by QNAP’s security team. Higher bounties may be awarded for clear, well-written reports that also include detailed instructions and proof-of-concept (PoC) code, along with suggestions on how the bug should be fixed.
QNAP also notes that while only released applications, cloud services, and operating systems are within the program’s scope, rewards may be paid out for critical vulnerabilities that are out-of-scope. The company has provided a PGP public key that interested security researchers can use to encrypt emails containing vulnerability submissions.
In conclusion, QNAP Systems is offering rewards of up to $20,000 for vulnerabilities reported through its newly launched bug bounty program. The company is interested in hunting for flaws in its applications, cloud services, and operating systems, with higher bounties available for clear, well-written reports that include detailed instructions and proof-of-concept (PoC) code. Rewards may also be paid out for critical vulnerabilities that are out-of-scope.
Key Points:
- QNAP Systems has announced a bug bounty program that offers rewards of up to $20,000.
- The company is interested in hunting for flaws in its applications, cloud services, and operating systems.
- Higher bounties are available for clear, well-written reports that include detailed instructions and proof-of-concept (PoC) code.
- Rewards may also be paid out for critical vulnerabilities that are out-of-scope.