Samsung has announced a new bug bounty program that offers rewards of up to $200,000 for qualifying vulnerability reports.
In the beginning of September, Samsung launched its own vulnerability rewards program. The move, which other big-name companies like Apple have already embrace, constitutes an important step forward in an age of ever-growing digital threats.
The multinational conglomerate based in Seoul, South Korea created the program in an effort to protect its mobile products end-users. As it explains on the bug bounty’s launch page:
“We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports. We look forward to your continued interests and participations in our Samsung Mobile Security Rewards Program. Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile.”
To qualify for a reward, security researchers must submit a vulnerability report that demonstrates a vulnerability affecting the Galaxy S series, the Galaxy Note series, and other Samsung mobile devices in their latest Android version and firmware. Bounty hunters can also hope to receive a reward for detailing a flaw in Samsung Mobile services or applications signed by Samsung Mobile.
Of course, not all software flaws qualify. Those with no security impact, that require a physical connection to a device, or that necessitate extensive user interaction, for instance, don’t fall under the scope of the vulnerability rewards program.
But for bugs that do fit the bill, researchers can hope to cash out big.
Indeed, Samsung is willing to pay up to $200,000 for “critical”-level security issues, especially those by which an attacker could seek to compromise the bootloader or trusted execution environment (TEE) inside of the main processor of a device. Bounty hunters can also submit reports for “high,” “moderate,” and “low” flaws. Their rewards will likely amount to at least $200 so long as they submit a valid proof-of-concept for the discovered flaw.
Anyone who would like to responsibly disclose a bug as part of Samsung Mobile’s VRP can do so here.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.