ZTE has widened a bug bounty scheme to plug security vulnerabilities in its products, especially potential holes brought about by the launch of commercial 5G networks and services. The Chinese networking equipment vendor is working with bug bounty platform YesWeHack to test a range of products, including smartphones as well as cloud computing and database management systems.
More than 30,000 researchers in YesWeHack’s global network have been invited to participate in the bounty, which offers up to $2,000 for each bug uncovered, with the final amount awarded depending on the level of severity. When ZDNet spoke with its Asia-Pacific managing director Kevin Gallerin in July, the bug bounty platform worked with 10,000 security researchers in this region.
In a statement Monday, YesWeHack said the deployment of 5G networks had further underscored the importance of cybersecurity in the telecoms industry, with such rollouts increasing potential attack surfaces and introducing new technologies and techniques into the threat landscape.
Blocking China can lead to fragmented 5G market
With China-US trade relations still tense, efforts to cut out Chinese vendors such as Huawei from 5G implementations may create separate ecosystems and consumers could lose out on benefits from the wide adoption of global standards, as demonstrated with 4G.
Read More
“In addition, the ability of 5G to support massive Internet of Things (IoT) connectivity introduces many times more devices connected to the network, presenting a wide-reaching and increased attack surface,” it said.
ZTE’s product portfolio spans handsets, mobile broadband, terminal chipset modules, and peripheral products. The bug bounty would enable the Shenzhen-based vendor build “a sound cybersecurity governance structure” and “security assurance mechanism” across the entire product lifecycle, YesWeHack said.
ZTE’s chief security officer Zhong Hong said in the statement: “Through openness and transparency, we try to give our customers confidence by letting them see what we do and how we provide end-to-end security. Our partnership with YesWeHack will help to enhance the security of ZTE’s products and confront new challenges brought by the 5G network commercialisation.”
The ZTE bug bounty covers product categories such as the vendor’s 5G Common Core fixed networking systems, 5G NR (New Radio) equipment, smart home and video IoT systems, and Axon and Blade smartphone series.
ZTE has remained on the list of telecoms equipment barred from being purchased using the US Federal Communications Commission’s (FCC) Universal Service Fund, after the US government agency rejected the Chinese vendor’s request to be removed as a national security threat.
The FCC last month set out its conditions for small carriers looking to be reimbursed for ripping out and replacing network equipment and services from ZTE and Huawei. Amongst the conditions it listed for access to the designated $1.9 billion in funds, the commission said eligible expenses included the cost of removing, replacing, and disposing ZTE and Huawei equipment and services obtained on or before June 30 last year.
The reimbursement scheme had been been in the works for two years, after the FCC officially labelled the two Chinese networking equipment vendor as national security threats in July 2020.
GSMA has projected Asia-Pacific to be the world’s largest 5G region by 2025, hitting 675 million connections–or more than half of the global volume. The industry group, though, revised its 2020 projection of 5G connections to be 20% lower than its previous forecast, due to the global pandemic.
It said the region’s growth would be led by markets such as China, Japan, and South Korea, with mobile operators investing $331 billion building out their 5G networks. GSMA further estimated that 24 markets across Asia-Pacific would have launched 5G by 2025, including China where 28% of mobile connections would run on 5G networks and account for a third of the world’s 5G connections.