Vincent Tsai
October 23, 2018

Rolling out the welcome mat for white-hat hackers to enhance product security with Synology’s Bug Bounty Program

More and more enterprises are employing bug bounty programs to make their products and services more secure and reliable. The concept of this program is to crowdsource information security from researchers who report security vulnerabilities that may incur irretrievable damage and are previously unknown to potentially affected companies. Those who submit vulnerability reports which are later validated by security analysts can receive monetary rewards. This concept starts to gain ground, and the world’s tech giants, such as Microsoft, Google, and Facebook launched similar programs aimed at enlisting the help of researchers across the globe in finding out potential security flaws that may pose a huge threat to products and technologies involved.

Synology is the very first data storage vendor to implement such a program, soliciting help from skilled researchers in an attempt to improve product security. Synology has been devoted to bringing the most secure products to our customers, and the idea to establish a security response team was developed rather early.

Making headway in product security

Synology took real action and proactively participated in information security-related events. For instance, Synology took part in HITCON 2015, where participants could get NAS as rewards once they found security weaknesses on the testing platform. In 2016, Synology went to Japan to learn the approach to coping with security incident response from the CERT/CC, including the discovery, triage, remediation, and disclosure process. In the same year, Synology established the Product Security Incident Response Team (PSIRT), which is responsible for ensuring product security, handling security incidents, and implementing the Security Bug Bounty Program.

When the PSIRT receives a vulnerability report, one of the first tasks is to verify the report’s validity to see if the claim is accurate. After validating the vulnerability, chances are there will be an avalanche of report submissions at the same time; therefore, it is important for the team to prioritize depending on the severity of vulnerabilities. Then, the PSIRT moves on to the remediation process during which the reported vulnerability will be tested and fixed. Finally, once the patch is ready, the PM team will publish the advisory and release the update to the public. The PSIRT will then add this vulnerability into the Common Vulnerabilities and Exposures (CVE) list. To incentivize security researchers to report security vulnerabilities, the Bug Bounty Program offers monetary rewards to whoever reports a valid vulnerability report. However, participants need to meet several requirements to be eligible for the award. First, you have to be the very first researcher who reports the vulnerability. Second, the vulnerability is confirmed to be valid and replicable. Finally, you must comply with the program terms and regulations.

What lies ahead for Synology PSIRT

Because of the Bug Bounty Program, Synology has received valuable feedback from worldwide researchers who uncovered critical security weaknesses. For instance, there was a submission reporting a serious security loophole that was rated 9.8 on the Common Vulnerability Scoring System 3.0 (CVSS). Synology was able to take preemptive measures to minimize the risk before a vulnerability wreaks havoc on potentially susceptible products and services. Synology places much emphasis on users’ data security so we take a comprehensive approach to information security. For instance, the “Security by Design” policy which emphasizes considering all the security aspects during the developing process is something we’ve been doing. We also welcome more skilled security analysts to come join us. Synology will actively join more global third-party security platforms to facilitate closer coordination and cooperation with the security research community to add an extra layer of scrutiny to our products and services.

If you are interested in Synology Bug Bounty Program, welcome join us. To learn more about this program, please visit https://www.synology.com/en-global/support/bounty_program