Qualcomm Technologies Inc. Vulnerability Rewards Program

Qualcomm Technologies, Inc. (QTI) understands that maintaining a large variety of products comes with certain responsibilities.

We recognize that conducting security research often requires investing a large amount of time and skill in order to make an impact. We are lucky enough to work with a top-notch community and have had good experiences in the past when working with security researchers. We definitely appreciate the hard work and effort that external security researchers have put into researching and improving security within the mobile ecosystem. Subject to the following rules, we are sponsoring the following program to recognize individual research efforts.

At this time we only accept and reward vulnerabilities in Qualcomm products. If you would like to report an issue with Qualcomm infrastructure including the website please use the following mailing address: [email protected]

Vulnerability Reports

In order to maximize the effectiveness of our response processes and lower time spent on understanding the specific concern, we ask you to submit high quality reports, including a written description of the vulnerability, information on respective source code snippets or binary analysis, and proof-of-concept code or any other supporting material that helps assessing the vulnerability quickly and effectively. Reports must provide a convincing case for the security impact of the reported issue.

Good examples of such reports also usually include information about the affected devices and versions, description of issue impact and vulnerability type, description of an attack scenario, and instructions on reproducing the issue.

All eligible vulnerability submissions must be done through the HackerOne reporting tool. Please be aware that for the time being we do not accept software patches.

Program Rules

Qualifying Devices/Targets

We are rewarding qualified vulnerability submissions in certain types of software running on specific hardware. Development platforms are excluded from qualifying devices/targets. The following is a current list of hardware and software components that qualify. From time to time, we may update this list.

Hardware

Vulnerabilities affecting the following chipset families are in scope. We routinely accept vulnerabilities outside of this list. Please contact us for more information. Note some chipsets within the families may be EOL and not covered for reward, unless it affects a non-EOL supported product.

• Windows On Snapdragon (8cx) and Snapdragon X Elite
• Snapdragon 8 Gen * ( Eg Gen 1, Gen 2, 3 )

This page can help to identify commercial devices that make use of the Snapdragon chipsets.

Chipsets generally remain in scope for 3 years after Qualcomm begins customer deliveries. However, we also accept reports for chipsets after this date if the reporter can identify at least one OEM/device manufacturer that still actively supports a device that makes use of the chipset in question. We also usually reward critical- or high-rated reports for products of any age if there is reason to believe that the reported vulnerability impacts one or more devices within the 3 year window or that are still actively supported by the OEM/manufacturer.

Software

The following is a list of software component categories which are eligible for rewards. Software must be present on the aforementioned devices in order to qualify. A valid report must mention at least one concrete commercial device.

We are currently rewarding vulnerabilities in the following software components:

• Linux kernel code that is part of "Android for MSM" (Qualcomm Innovation Center authored code available from codeaurora.org and not solely present in . The Linux kernel version used in the device must be mentioned in the submission to qualify as a valid report.
• QSDK code that is part of the "QSDK" (Qualcomm Atheros authored code available from codeaurora.org and not solely present in end of life branches.
• Privileged user space programs (i.e. running as root or system)
• Bootloader (all boot stages)
• Cellular modem
• WLAN, Bluetooth, video, and graphics firmware
• Qualcomm Secure Execution Environment (QSEE) on TrustZone
• Qualcomm authored code that is run on the Qualcomm® Snapdragon™ Mobile PC Platform (code run in user space must be privileged)

Eligibility

In addition to eligible devices and targets, the following rules generally apply to all vulnerability submissions:

• Vulnerabilities must be clearly attributable to Qualcomm Technologies and its affiliates.
• Issue must be exclusively communicated to QTI Vulnerability Rewards Program.
• Issue must be unknown to QTI.
• Only the first report of a vulnerability can qualify for a reward.
• Only privately, coordinated, and confidential disclosures can qualify for a reward.
• All information related to the vulnerability must remain private during the coordinated disclosure time frame.
• Only individuals can qualify. We don't reward companies, institutions.
• Employees of Qualcomm Technologies and its affiliates are not eligible.
• Customers and partners of Qualcomm Technologies and its affiliates are not eligible for rewards if the reported issues affect proprietary code. However we can credit these submitters for any CVE IDs that result.

QTI retains ultimate discretion to determine the eligibility of a submission. In particular, we may decide to pay even more for unusually clever or severe vulnerabilities, decide that a single report actually constitutes multiple bugs, or that multiple reports are so closely related that they only warrant a single reward. Note that incomplete submissions, especially those lacking a PoC in the initial submission, may result in reward, credit, and CVE ID ineligibility.

Furthermore, we usually do not reward the following issues:

• Denial of service issues that result in crashes triggered by a local access vector, but otherwise no observable security impact (for example because the issue is remediated by system services through automatic restarts, not causing permanent denial of service conditions, etc.).
• Side-channel attacks that require the attacker to physically interact with the device through interfaces not designed for communication with the device (e.g. power-analysis by reading the voltage input directly from the pins). Side-channel attacks that can be launched from software, such as the CLKSCREW attack, are within the scope of this program.
• Issues introduced due to carrier or device manufacturer misconfiguration (e.g. intentionally enabled debug capabilities).
• Issues that can be attributed to OEMs or introduced by OEM modifications.
• Issues in x86/x64 software.
• Issues identified in third-party components not under QTI's control.
• Android applications distributed through Google play and other non-bundled applications.
• Kernel pointer leak issues that are based on the format specifier %p
• Reports that we determine are based wholly or in part on Qualcomm proprietary source code that has been improperly released/obtained.

In case of issues that can be attributed to multiple parties or issues that cannot be attributed to QTI and its affiliates, we reserve the right to decide rewards on an individual case-by-case basis. In these cases, you may choose to accept our assistance with multi-party coordination (when we have the appropriate contacts) or you may attempt to contact the other parties directly after our determination.

The mobile ecosystem is based on a complex supply chain and attribution can be hard at times. First and foremost, this program is targeted towards rewarding vulnerabilities in code that we control and that we can address directly. This means we usually do not reward vulnerabilities in third-party components out of our control. On the other hand, we'd like to leverage any possibility that we can to improve the security of our devices and appropriately reward contributions where we can. If you are unsure about whether some particular component is within scope or not, please don't hesitate to ask us in advance. Please see our FAQ for more information.

Rewards

We anticipate rewarding submissions according to the security impact reflected by our security ratings and the nature of the vulnerable software.

Active exploits are not required for vulnerability submissions. However, the quality of the vulnerability report such as whether the description is clear or not, other supporting material is workable, etc., will have impact on the rewards listed up to a 20% reduction. We also reserve the right to issue extra rewards for researchers who make outstanding effort in helping us address the vulnerability, or discover new classes of vulnerabilities or novel attacks.

Reports in certain areas must include a proof-of-concept (PoC that works in production environment is required with initial submission) to be considered for a reward. These areas are highlighted in the rewards breakdown below.

In rare exceptions, we reward vulnerabilities that are known to us already. This usually happens if the report identified further gaps that require follow-up on our end. We reserve the right to reward up to 50% of the listed amount in such cases on an individual basis at our sole discretion.

The below table is provided as a general guidance of our rewards per rating level. We recognize that there are corner cases which are not covered, for example the vulnerabilities in hardware. While we intend to apply the same rating rationale, we cannot make this a comprehensive list. Although we will try to abide by this list, the actual amount of a reward will be made at our sole discretion. Reward amounts are up to the listed maximum below.

• Security Rating: Critical

• TME/Secure Processor: $21,000

• Software Category: Cellular modem - Reward: $15.000

• Software Category: TEE - Reward: $9.000

• Software Category: Bootloader - Reward: $9.000

• Software Category: Application processor software and all other qualified components - Reward: $8.000

• Security Rating: High

• TME/Secure processor: $8,000

• Software Category: Cellular modem - Reward: $5.000

• Software Category: TEE - Reward: $5.000

• Software Category: Bootloader - Reward: $5.000

• HLOS Privileged service $2,000

• Software Category: Application processor software and all other qualified components - PoC that works in production environment is required with initial submission - Reward: $4.000 *Drivers such as KGSL/FastRPC that do not have SELinux permissions for Unprivileged apps: Reward up to $10,000. Please note the Up-to we will try our best to pay out as much as we can for these reports, but they need to be high quality, show how exploitation would work.

• Security Rating: Medium

• HLOS Privileged service $1,000 ** PoC Required **

• Software Category: All qualifying components - PoC that works in production environment is required with initial submission - Reward: $2.000 ** PoC Required **

• Security Rating: Low

• HLOS Privileged service: $200 ** PoC Required **

• Software Category: All qualifying components - PoC that works in production environment is required with initial submission - Reward: $200-$1.000

Along with the rewards listed above we accept issues and will consider a bonus payment for the following items:

• Exploits utilizing novel techniques related to our SoC Design -- Some examples of research we found useful and novel to our understanding Include Guang Gong's and Ben Hawkes GPU exploits that utilized SMMU mapping abuse. (Before starting on your exploit it would be best to reach out to us and make sure we're interested in receiving it. If we have multiple exploits utilizing the same technique that is no longer important for us, but if you have interesting ideas let us know.)
• Exploitable KGSL Issues or issues in drivers that are exposed to untrusted apps may garner an additional award (Proof-of-concept and concise write up required).
• Remote Modem issues

All researchers who qualified will become part of the QTI Product Security Hall of Fame or the CodeAuroraForum Hall of Fame, depending on the nature of the vulnerability.

Donations

Qualcomm values community engagement and has provided more than $330 million in donations since 2000, either directly or through the Qualcomm Foundation. In that spirit, we are pleased to announce that security researchers who participate in our Vulnerability Rewards Program can now choose to donate their reward to an eligible nonprofit organization of their choice, and Qualcomm will match that donation dollar for dollar. For program details, guidelines, and restrictions, please contact [email protected].

The fine print

Unfortunately, we cannot authorize payments to citizens of countries that are on sanctions lists or who reside in such countries. This include for example Cuba, Iran, North Korea, Sudan, and Syria. Additionally, participants are responsible for any tax implications. Please also pay attention to additional restrictions that may apply due to local laws. By providing a submission, you are providing QTI and its affiliates permission to use such submission to improve our products. You agree not to provide any submission that is not entirely yours to provide to QTI. QTI reserves the right to terminate this program at any time.

Revisions

2024/Jul/9th --Snapdragon X-Elite device reimbursement & extra rewards until October 1st (may extend).

2024-01-10 --FastRPC and KGSL related memory corruption bugs that are EXPLOITABLE will receive up to $10,000

2023-06-07 -- Added WoS into the program + campaign until September 2023

2022-11-14 -Modified the reward structure to add TME, and to differentiate HLOS Privileged components from Kernel components. Added notice of potential bonuses for specific areas. We will expand these bonus areas soon.

2022-01-11 -Clarified EOL devices, and added Snapdragon 888 and Series 8 Gen 1 as examples.

2021-11-03 -Gunyah Hypervisor is officially supported for rewards in the VRP.

2021-07-28

• Media extractor issues are temporarily ineligible for reward for the next 6 months, starting July 28th 2021.
• DSP related issues are temporarily ineligible for reward until further notice. Modem and WLAN vulnerabilities are still accepted.

2021-4-23:

• The Gunyah Hypervisor is currently out of scope of eligibility for rewards at this time.

2020-06-19:

• Clarified the policy with respect to side-channel attacks. Physical side-channel attacks are not within scope of this program. Software-controlled side-channels are within scope of this program.

2020-01-08:

• Changed list of chipset families that are in program scope (Snapdragon X55 Modem has been added)

2020-01-07:

• Changed list of chipset families that are in program scope (Snapdragon 700 series has been added)

2019-08-29:

• Changed list of chipset families that are in program scope (Snapdragon 400/600/800 series are in scope)

2019-05-21:

• Added clarifications for PC software that is eligible for a reward

2019-04-23:

• Added new chipsets to the hardware that is in the scope of this program

2019-04-10:

• Added clarification about the time frame chipsets are in the scope of this program

2019-02-25:

• Added video and graphics firmware

2018-11-06:

• Emphasized that incomplete submissions may result in reward, credit, and CVE ID ineligibility
• Excluded customers and partners of Qualcomm Technologies and its affiliates if reported issues affect proprietary code from reward eligibility

2018-11-01:

• Emphasized that a PoC that works in production environment is required with initial submission

2018-10-17:

• Development platforms are excluded from qualifying targets
• Added Dakota family to the list of qualifying targets and QSDK to the software components list

2018-09-26:

• Minor update: changed 'Qualcomm proprietary code that has been improperly released/obtained' to 'Qualcomm proprietary source code that has been improperly released/obtained' in the 'we usually do not reward' bullet point list

2018-09-21:

• Emphasized that a convincing case for the security impact of the reported issue is required
• Added 'Qualcomm proprietary code that has been improperly released/obtained' to the 'we usually do not reward' bullet point list
• Removed PoC requirement for critical application processor software issues

2018-06-26:

• Added Snapdragon 660/670 to the Qualifying Devices/Targets list

2018-04-04:

• Added Snapdragon 845 to the Qualifying Devices/Targets list

2018-03-01:

• Reorganized text that explains active exploits are not required
• Clarified explanation of when POCs are required
• Added requirement to provide a POC for issues in specific areas in the rewards breakdown

2017-12-13:

• Added Donations section

2017-09-26:

• Added link to security ratings in Qualcomm's Product Security page
• Removed Vulnerability Rating section (the same information is now available on Qualcomm's Product Security page)

2017-06-08:

• Added Snapdragon 835 to the Qualifying Devices/Targets list

2017-06-07:

• Added kernel pointer leak issues based on %p to the list of issues that are usually not rewarded

2017-06-01:

• Introduced program policy revisions section
• Removed kernel version specification eligible software component category
• Added requirement to mention a concrete device in the submission
• Added requirement to list Linux kernel version used in the device if a vulnerability that affects Linux kernel code is submitted