Netgear has broken ranks from the consumer router security shame factory to offer a bug bounty sporting extra rewards for chained exploits.
Hoping to shake the SOHOpeless tag, the vendor will hand out up to US$15,000 for hackers reporting global remote unauthorised access from the internet to Netgear devices, and unauthorised access to Netgear's cloud storage or live video feeds and files.
Hackers will bag US$10,000 to those who can pull off those feats for individual users, or can score credit card information including the all critical CVV numbers.
They will score half that in they can steal only one user's payment information or the majority of Netgear's customer database including logins and products owned.
The vendor under its bug bounty is encouraging hackers to chain vulnerabilities to score a chain bonus which will multiply the payout by a factor of three.
"Chaining of bugs is encouraged to demonstrate a higher impact and receive rewards," Netgear security types say.
"Participants are asked to report the bugs as they are found and those can then be used as a part of a chain submission by the participant any time during the next six months.
"If you report a unique chain vulnerability, with a minimum of three bugs, in addition to the cash reward for each individual bug in the chain, Netgear will apply a chain bonus for the bug that results from the chain."
Those wanting to bag a chained bug bounty must be the first to file the bugs used in the combo-breakers; "so file early and file often!" Netgear says.
The bug bounty is a very welcome move for a router industry in dire need of stronger security controls, and could see Netgear become a consumer router vendor with noted infosec chops.
Really happy to see Netgear's bug bounty program, more consumer networking folks should do the same: https://t.co/3TAgIDxKKq— HD Moore (@hdmoore) January 5, 2017
Netgear says those hacking its Amazon Web Services assets, its website, or offering the regular list of dismissed attacks like social engineering and distributed denial of service attack need not apply. ®