Netgear unveils world's easiest bug bounty Netgear has broken ranks from the consumer router security shame factory to offer a bug bounty sporting extra rewards for chained exploits. Hoping to shake the SOHOpeless tag, the vendor will hand out up to US$15,000 for hackers reporting global remote unauthorised access from the internet to Netgear devices, and unauthorised …
I would have thought the main issue wasn't so much getting bug reports filed as actually fixing them and pushing out an updated firmware image with those verified fixes? Netgear might be upping their game (finally!) on bug bounties but they've proved poor in the whole area of fixing bugs with updated firmware, and even when they do products get EOLd soon after release because the fixes only get applied to the vn+1 HW they've just released. [This happened with my router - loads of ADSL bugs which were never fixed in an official firmware release because they put all the bug fixes in a v2 HW release instead. I only got some of the fixes because I switched to an Engineering beta firmware after pestering their Support].
On the issue of rebranding - if it says Netgear on the front they need to understand they're going to take the flack for it whether it's their Hardware/Firmware or not so yes rebranded items should be included.
Oh and FTA: "They will score half that in they can steal only one user's payment information or the majority of Netgear's customer database including logins and products owned."
So if someone hacks their main customer database but only makes off with the majority of it they only get five grand? I can't help thinking it would be worth more than that to a competitor?
I have very faint hopes of any improvement to Netgear's kit raising it to the level of "OK".
Example: I bought a wifi booster (this one) recently. Two ways of setting the thing up: WPS (which my router doesn't have), or putting my email and a password into a browser interface. The second would not have been so bad (still a bit wtf though) except that the thing complained the email I gave it (which El Reg, Google, Amazon, Facebook, etc. are perfectly fine with) was an invalid email address.
If a company making network kit can't handle a slightly unconventional email address, the chances are their code inside the device is full of similar horrors - it's certainly the last product I'll buy from them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
