Earn up to $200K finding bugs in Samsung smartphones

But as with any bug bounty, following the rules is essential….

David bisson
David Bisson
@
@DMBisson

Samsung's new bug bounty program offers rewards of up to $200K

Samsung has announced a new bug bounty program that offers rewards of up to $200,000 for qualifying vulnerability reports.

In the beginning of September, Samsung launched its own vulnerability rewards program. The move, which other big-name companies like Apple have already embrace, constitutes an important step forward in an age of ever-growing digital threats.

The multinational conglomerate based in Seoul, South Korea created the program in an effort to protect its mobile products end-users. As it explains on the bug bounty’s launch page:

“We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports. We look forward to your continued interests and participations in our Samsung Mobile Security Rewards Program. Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile.”

Samsung bug bounty

To qualify for a reward, security researchers must submit a vulnerability report that demonstrates a vulnerability affecting the Galaxy S series, the Galaxy Note series, and other Samsung mobile devices in their latest Android version and firmware. Bounty hunters can also hope to receive a reward for detailing a flaw in Samsung Mobile services or applications signed by Samsung Mobile.

Of course, not all software flaws qualify. Those with no security impact, that require a physical connection to a device, or that necessitate extensive user interaction, for instance, don’t fall under the scope of the vulnerability rewards program.

Sign up to our free newsletter.
Security news, advice, and tips.

But for bugs that do fit the bill, researchers can hope to cash out big.

Indeed, Samsung is willing to pay up to $200,000 for “critical”-level security issues, especially those by which an attacker could seek to compromise the bootloader or trusted execution environment (TEE) inside of the main processor of a device. Bounty hunters can also submit reports for “high,” “moderate,” and “low” flaws. Their rewards will likely amount to at least $200 so long as they submit a valid proof-of-concept for the discovered flaw.

Anyone who would like to responsibly disclose a bug as part of Samsung Mobile’s VRP can do so here.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.