Espressif ESP8266 Bug Bounty Program – Report a bug and win USD1000


ESP8266-EVB

Espressif is working hard to remove bugs in their very popular ESP8266 WiFi SoC. They want to make superior solution to CC3000 competetive product from TI, which is well known for it’s security issues.

So on March 20th Espressif boldly posted on their BBS the Bug Bounty Program – they will give USD 1000 to anyone who reports bug in ESP8266 .

We are working intensively with ESP8266 to make our plug and play IoT solution with pluggable UEXT modules to ESP8266-EVB and one of our developers Peter found bug in SSL implementation where you can brick or reset ESP8266 by sending large amount of data over https. He reported the bug to Espressif and today he got this e-mail:

From: Quote
Sent: Wednesday, April 8, 2015 5:26 PM
To: peter@
Subject: ESP8266-Bug Bounty Winner Information Requirement (BBP#29)

Thank you for your bug report, which will help us improve our SDK.
Our engineer has confirmed your bug report and they will release debug method to you later.
I am assigned to give the reward to you.
Please provide some information to us, which is needed for us to keep record.

a.. The company you are working for
b.. Your name
c.. Your nickname that you want to be announced
d.. contact number or mail
e.. Paypal account or bank account
You should declare tax according to your local law by yourself.

Yay! Quick USD1000 earned🙂 Glad to see Espressif stands behind their word.

And from the e-mail header seems Peter is not alone but #29 in the Bug Bounty Program.

In other hand if they have decided to open source their binary blobs these bugs would be fixed by the community (which is huge and growing with each next day). So they could save themself these $30K.

Having the sources would also make less nervous people who want to use ESP8266 in more serious stuff where is not good to have “black boxes” with unknown code inside.

8 Comments (+add yours?)

  1. Max
    Apr 09, 2015 @ 10:40:14

    Typical of our times – reading the part of the letter with “I am assigned to give the reward to you” I had an immediate, Pavlovian “spam! spam! spam!” reaction… :))) Anyway, congrats to Peter!

    Reply

  2. SK
    Apr 10, 2015 @ 12:19:49

    Are you gonna give some bonus to Pesho or take the whole reward for the company?🙂

    Reply

  3. zoobab
    Apr 10, 2015 @ 15:11:15

    “Having the sources would also make less nervous people who want to use ESP8266 in more serious stuff where is not good to have “black boxes” with unknown code inside.”

    Especially when in some mode it posts reports to a server in China. Will try to find the reference.

    Reply

  4. SK
    May 23, 2015 @ 20:46:10

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: