ToyTalk, maker of Web-connected Hello Barbie, launches bug bounty

The San Francisco startup responsible for the technology inside the first Internet-connected Barbie doll has opened up a line of communication with hackers.

With the knowledge that hackers have been attempting to compromise Hello Barbie, a doll that uses the Web to converse with kids, ToyTalk launched what’s known as a bug bounty program last week.

This reward system of sorts could earn a security researcher as much as $10,000 for finding and reporting vulnerabilities to the company.

“Mattel and ToyTalk have invested a lot of effort to build the safest experience possible for parents and their children,” wrote Martin Reddy, ToyTalk’s co-founder and chief technical officer, in a Thanksgiving Day post on Tumblr.

“As part of that commitment, we are actively engaging the security community to address any concerns.”

Facilitated by HackerOne, a startup that connects hackers with companies that need security help, the program has already caught at least 22 reported vulnerabilities. ToyTalk has thanked more than 50 hackers for sharing their insight.

After being questioned by The Chronicle in October about the privacy and security risks surrounding the device, a spokesman said ToyTalk was contemplating such a program.

But that doesn’t take away from the fact that ToyTalk is doing the right thing, said Rodney Joffe, a senior vice president and fellow at cybersecurity firm Neustar.

ToyTalk “is setting a really good example,” he said — specifically among toymakers creating Web-connected devices that are a growing part of the Internet of Things.

He added that larger companies that have experienced much more serious security issues have not yet taken similar steps.

Most hackers aren’t malicious — they find joy in finding bugs and getting them fixed. But without a clear way to tip off companies, there’s a risk they’ll disclose weaknesses in other ways.

Last week, a hacker who gained unauthorized access to the servers of Hong Kong toymaker VTech chose to disclose the information to Vice Media.

VTech reportedly failed to safeguard the names, e-mail addresses, passwords and home addresses of people using the products, revealing the identities of millions of parents and hundreds of thousands of children.

In an interview with the news organization, the hacker said he or she doesn’t “intend to publish or sell the data.”

“Going to the media is something that most ethical hackers do if they are not getting what they need from the corporation they are trying to work with,” said Ryan Kalember, a senior vice president of cybersecurity strategy at Proofpoint.