Espressif is working hard to remove bugs in their very popular ESP8266 WiFi SoC. They want to make superior solution to CC3000 competetive product from TI, which is well known for it’s security issues.
So on March 20th Espressif boldly posted on their BBS the Bug Bounty Program – they will give USD 1000 to anyone who reports bug in ESP8266 .
We are working intensively with ESP8266 to make our plug and play IoT solution with pluggable UEXT modules to ESP8266-EVB and one of our developers Peter found bug in SSL implementation where you can brick or reset ESP8266 by sending large amount of data over https. He reported the bug to Espressif and today he got this e-mail:
Sent: Wednesday, April 8, 2015 5:26 PM
Subject: ESP8266-Bug Bounty Winner Information Requirement (BBP#29)
Thank you for your bug report, which will help us improve our SDK.
Our engineer has confirmed your bug report and they will release debug method to you later.
I am assigned to give the reward to you.
Please provide some information to us, which is needed for us to keep record.
a.. The company you are working for
b.. Your name
c.. Your nickname that you want to be announced
d.. contact number or mail
e.. Paypal account or bank account
You should declare tax according to your local law by yourself.
Yay! Quick USD1000 earned🙂 Glad to see Espressif stands behind their word.
And from the e-mail header seems Peter is not alone but #29 in the Bug Bounty Program.
In other hand if they have decided to open source their binary blobs these bugs would be fixed by the community (which is huge and growing with each next day). So they could save themself these $30K.
Having the sources would also make less nervous people who want to use ESP8266 in more serious stuff where is not good to have “black boxes” with unknown code inside.