Blog Post

Hackers will get paid for finding Blackphone flaws after all

Blackphone and Silent Circle, the secure communications firm that is behind the privacy-centric handset, have launched a program to pay hackers for pointing out flaws in their systems — despite previously indicating this wouldn’t happen.

Bug bounty programs have become an integral part of the security scene – companies such as Google, Facebook and Twitter (but not, notably, Apple) pay out varying amounts to those who make them aware of their own vulnerabilities. In Blackphone and Silent Circle’s case, the companies will shell out a minimum of $128 per bug. It’s not the thousands of dollars that the likes of Facebook offer, but these are smaller operations and at least it’s a nice nerdy number.

“We have high expectations for security and privacy,” Blackphone and Silent Circle security chief Daniel Ford said in a statement. “In order to deliver on our expectations we must continually build a strong relationship with the security research community.”

The Blackphone, which is largely pitched at enterprise users, uses a forked version of Android called PrivatOS and comes with Silent Circle’s apps (and a few others, including Disconnect) preinstalled. Silent Circle’s encrypted voice and messaging services are also available to users of other mobile devices, for a subscription fee.

You may recall stories a month or two back about Blackphone getting “hacked” at the security conference Defcon. There was an element of misreporting involved, and the hack was actually really difficult and unlikely – the attacker would need to physically have the handset and its PIN code, and the phone would have to have been incorrectly configured at setup. There was no serious threat in that case.

Nonetheless, the issue of bug bounties came up at the time — the hacker was annoyed that he only got a T-shirt for his troubles — and Toby Weir-Jones, the CEO of Blackphone company SGP Technologies (a joint venture between Silent Cicle and the Spanish manufacturer Geeksphone), told Ars Technica that such bounties were too pricey for a small firm and also ran counter to the firm’s philosophy of “democratic access” to information.

I guess that changed. Details on the Blackphone bug bounty are here, and those on the Silent Circle bug bounty are here.