QNAP has just announced its new bounty hunter program, inviting security experts and researchers from every part of the planet. This new initiative is to help protect the company’s NAS products and services from further attacks, something that’s, unfortunately, plaguing all brands. If you aid QNAP in this endeavor, you can earn up to $20,000 per vulnerability.
The QNAP Security Bounty Program covers rewards for security vulnerabilities relating to QNAP operating systems (QTS, etc.), first-party applications, as well as cloud services. The company is prepared to reward each vulnerability report with up to $20,000 based on an internal review rating. To help provide clarity, QNAP has both scope and terms pages available.
This move is largely in response to the previous attacks QNAP systems have suffered. The company isn’t alone in the NAS space (or the wider technology sector). Attacks such as these occur frequently and we’ve covered ransomware affecting TerraMaster and ASUSTOR in the past. It’s positive to see such a move from QNAP.
Since the inception of the QNAP PSIRT, we have been committed to maintaining the security of QNAP products and services and responding to information security incidents quickly. We are grateful for the vulnerability reports and feedback from security researchers, and we look forward to rallying more security professionals to work together to enhance network and information security.
PSIRT Senior Manager at QNAP, Mr. Haung.
Consumers who purchase prebuilt NAS enclosures from brands such as QNAP place a lot of trust in the company to ensure its operating system, apps, and hardware are adequately protected from outside threats. It’s also worth noting that issues such as these are really only an issue for those who have their NAS connected to the outside world.
In order to participate in the QNAP Security Bounty Program, the company asks an encrypted message (using the provided PGP public key) be sent to security@qnap.com.