Un-carrierCategoryBlog

T‑Mobile Bug Bounty Program Makes Allies Out of Adversaries

By Jeff Simon, SVP & Chief Security Officer of T-MobileSeptember 27, 2024

In the world of cybersecurity, hackers are considered adversaries, rightfully so, with businesses asking how they can stay one step ahead of them. But we at T-Mobile think of them a little differently and asked a different question: "What if we treated hackers as allies?" It may sound counterintuitive, but it stands to reason that the best way to understand what hackers are doing and thinking is to ask them.

That’s what we did when we revamped our bug bounty program last year in collaboration with Bugcrowd. Through the program, T-Mobile pays these allies — called ethical hackers, security researchers or white hats — to help us close doors to cybercriminals and fortify our efforts to protect customer information. The payments (bounties) range from $1,500 to over $100,000 for identifying and reporting potential security vulnerabilities (bugs) across our systems and platforms. The more critical or complex the bug, the higher the payout.

T-Mobile's Bug Bash at the Tech Experience 5G Hub in Bellevue, Washington

Ethical hackers helped us to identify and remediate a range of bugs, from minor to critical, and their findings have helped us implement broader measures and fixes across the company.

Through the program, we’ve had some key learnings:   

Keep Ethical Hackers Engaged
For every bug found, there's one less to be discovered. As ethical hackers identify and report bugs, the pool of undiscovered vulnerabilities decreases causing ethical hackers to move on to other bug bounty programs. To keep them engaged, we put three solutions in place.

First, we regularly expand the program’s scope by adding new platforms, systems, apps and services, along with monthly “special targets” that offer higher bounties. Second, we periodically increase bounties to incentivize searching for hard-to-find bugs. Lastly, we launched a bug bounty loyalty program that provides quarterly bonus payouts and additional rewards, such as digital badges and titles, based on the number of bugs submitted.

Our goal is to provide fresh challenges for ethical hackers ensuring their efforts are well-rewarded and showing our appreciation for their expertise and contributions to our cybersecurity efforts.  

In-Person Collaboration Yields Optimal Results
Energy comes when people get together. When the ethical hackers work side-by-side with our teams, they can collaborate on techniques and share expertise while rigorously testing systems and applications. This includes T-Mobile's hardware, which ethical hackers can't access remotely.

We have hosted two Bug Bash events this past year, the first in February at our Tech Experience 5G Hub in Bellevue, Washington, and the second in August at our new T-Mobile for Business Customer Experience Center in Las Vegas, Nevada. During these two-day events, ethical hackers test and find vulnerabilities, present their findings and build relationships with our teams. Though intense, our Bug Bashes yield results as we learn about hacking methods and complicated issues - such as chaining multiple vulnerabilities together. We look forward to bringing together new and returning ethical hackers at future Bug Bashes next year.

T-Mobile's Bug Bash at the T-Mobile for Business Customer Experience Center in Las Vegas, Nevada

Cybersecurity is a Shared Responsibility
Identifying vulnerabilities is only the first step. At T-Mobile, the teams responsible for the platform, system, app or service with a vulnerability are also tasked with implementing the fix and paying the bounty. This helps foster collaboration, as stakeholders across departments share learnings to resolve issues quickly. Also, we have engaged our employees - those who know T-Mobile best - in an internal bug bounty program allowing everyone at T-Mobile to be part of our efforts.

Another Year Ahead
Our bug bounty program is a key part of our security strategy. By recognizing and rewarding the expertise of ethical hackers, T-Mobile leverages diverse knowledge and perspectives to help stay ahead of cybercriminals. We look forward to what the next year brings.

This program is just one of many ways we’re working to better protect customers, employees and their data. Earlier this year, we launched the Trust Center, a hub where you can learn about our other efforts and review our cybersecurity certifications, reports, audits, scores and more. To read more about online safety, cybersecurity and tools that we have for customers, head to our Newsroom and Privacy Center. To join our bug bounty program, check out bugcrowd.com/engagements/t-mobile.

- Jeff