Qualcomm has recently announced its new Vulnerability Rewards Program, where it is offering £12,000 ($15,000) to anyone able to spot bugs in its modems and processors. The news comes off the back of the DEF CON conference in August where four vulnerabilities were revealed for the company’s chipsets.
Mike Ahmadi, Global Director – Critical Security Systems at Synopsys:
“Chipmakers build chips based on customer needs and specifications, which are mostly driven by features and cost. Most of the better chipmakers build decent quality hardware-based secure chips, which meet or exceed Common Criteria EAL4 or FIPS 140-2 Level 3 requirements for secure hardware, but customers today often opt for lower cost alternatives with software-based security added in. This situation makes security much more challenging, since software-based security is generally easier to compromise.
“Modern chipmakers are expected to provide software (firmware) as well as hardware, so it becomes incumbent upon them to address the more challenging world of software security due to the need to meet customer demands. It is like they have solved a problem, through hardware based security, but the customer expects this to extend to everything the chipmaker builds. In order to compete in the marketspace, chipmakers will have to make software security a priority.”