What Testers Need To Know About The Blackphone Bug Bounty Program

Silent Circle has implemented a bug bounty program for its Blackphone through the Bugcrowd platform. The project aims to root out vulnerability issues in the company’s proclaimed “surveillance-proof” device. The concept is simple: software testers work with the company’s PrivatOS and earn a $128 bounty for every bug found and reported.

What Is Blackphone?

Silent Circle’s Blackphone comes pre-installed with specialized apps and software design to protect users’ privacy. This includes silent communications technology that enables anonymous internet browsing and VPN connections, wireless network security, private cloud storage, and call and text message encryption.

Blackphone runs on PrivatOS, a heavily modded version of Android OS 4.4 “Kitkat” that includes Silent Circle’s own ‘silent’ features for keys, contacts, calls, and texts. The versatile services lets users send and receive calls and texts, move, store, and manage files, and make video calls under the premise that they will not be tracked, recorded, or otherwise breached.

The ‘silence’ works by establishing failsafe security lines between compatible phones. The service uses auto-generating and deleting encryption technology that creates and deletes keys. To ensure maximum protection, the keys are never stored on the phone or transferred to Silent Circle.

How Does The Bounty Program Work?

Launched by Silent Circle, the bug bounty program encourages security testers to unveil and discreetly report vulnerabilities in the Blackphone’s apps, network services, and cloud offerings. The program also includes Blackphone-related websites and web offerings. For the phone’s PrivatOS, the bounty program includes integrated apps, OS updates, server vulnerabilities, and issues with the web portal.

The Blackphone bug bounty program pays at least $128 to anyone who uncovers and reports new security issues or exploits affecting the phone. The company may adjust the amount depending on the severity of the vulnerability and other factors, and cannot be legally barred from issuing a reward. For someone to qualify, they must:

  • Be the first to report the vulnerability
  • Report a vulnerability that meets the program criteria
  • Not publicly announce the vulnerability before Blackphone’s decision
  • Not currently work for Blackphone or partner organizations

The program excludes descriptive error messages, 404 HTTP error codes, issues specific to clickjacking and self-XSS exploits, logout cross-site request forgery (CSRF) and other vulnerabilities found on the project page.

Reaching The Pinnacle Of Security

Former Blackphone CEO Toby Weir-Jones announced that the company aims chiefly to ensure user privacy and prioritize security. Through the Bugcrowd-based bug bounty program, the Blackphone’s weaknesses can be exposed – and patched. Current CEO Bill Conner, appointed in January, announced his intent to succeed where BlackBerry failed and knight Silent Circle as the new Apple.

The Silent giant may not conquer Apple anytime soon, but its bug bounty program is helping the Blackphone reach new heights of data security and privacy. The program came into being after hackers breached the Blackphone at the Las Vegas Def Con hacker conference in 2014.

While a truly invulnerable device probably won’t escape the dreams of a technophile, makers of the Blackphone hope to make their device the most secure on the market.

“Our belief is that you have to go to next generation architecture, like mobile, that is more secure in some ways, but still has its liabilities,” says Conner. “We are trying to intercept the next generation architectures from devices to application suites to the networking services to do that.”

Blackphone is the brainchild of Silent Circle, who bought out partner Geeksphone to gain full ownership of its former joint identity, SGP Technologies. Equipped with the latest version of PrivatOS, the Blackphone combines personalization with what Silent Circle deems “truly surveillance-proof” technology. For bug testers, the Blackphone represents a unique opportunity to gain insight into the latest security developments and earn some respectable spending money.

Edgar L