Nokia has admitted that its Series 40 operating system has security vulnerabilities, and has refused to rule out paying €20,000 to the researcher who exposed the flaws.
Adam Gowdiak of Security Explorations said earlier this month that he wanted payment for effort spent finding the flaws, which could allow stealth installation and activation of applications.
"For obvious reasons of security, we will not comment further on the detail of our activities with Security Explorations," said Nokia spokeswoman Kaisa Hirvensalo.
Gowdiak, a researcher in Poland, found problems with Java 2 Micro Edition, (J2ME) an application framework for mobile devices, as well as the Series 40 OS. Nokia claims Series 40 is the mostly widely used mobile device platform.
Gowdiak has done research on the Java Virtual Machine and wrote on his website that he worked at one time for its developer, Sun Microsystems.
Vendors typically steer clear of paying researchers for vulnerability information and alternatively encourage what they term is "responsible disclosure", or a discrete notification before vulnerability information is made public. Otherwise, users of a particular software are at risk while a vendor tries to develop a patch.
Nokia said some of its Series 40 products are vulnerable to an attack that could result in the secret installation of applications. The company said it has also found earlier versions of J2ME could allow privilege escalation or access to phone functions that should be restricted.
"Our testing has been concentrating on products that might have both of the claims present," according to a Nokia statement.
Nokia said it isn't aware of attacks against Series 40 devices, and the problems do not represent a "significant risk".
While details on the vulnerabilities are limited, Gowdiak has said an attack could be mounted by sending maliciously crafted messages to a particular phone number.
Gowdiak could not be immediately reached for comment.