Samsung on Thursday announced the official launch of the Samsung Mobile Security Rewards Program, which promises bug bounties of up to $200,000 for Critical vulnerabilities in Samsung mobile devices and associated software.
The new vulnerability rewards program is open to members of the security community interested in assessing the integrity of Samsung’s mobile devices and associated software, the company says.
Depending on the severity level of the disclosed vulnerabilities, bug bounties will range between $200 and $200,000. Should vulnerability reports be submitted without a valid Proof-of-Concept, Samsung will decide the qualification for a reward according to reproducibility and severity of the issue, and might significantly reduce the reward amount.
“Higher rewards amount will be offered for vulnerabilities with greater security risk and impact, and even higher rewards amount will be offered for vulnerabilities that lead to TEE or Bootloader compromise. On the other hand, rewards amount may be significantly reduced if the security vulnerability requires running as a privileged process,” the company says.
To qualify for rewards, security researchers need to submit security vulnerability reports that are applicable to eligible Samsung Mobile devices, services, and applications developed and signed by Samsung Mobile. Vulnerabilities in eligible third party applications developed for Samsung are also accepted.
Should two reports be received for the same vulnerability, only the first report is considered. Only reports for vulnerabilities that haven’t been publicly disclosed are accepted.
Researchers can submit findings via the Security Reporting page.
Researchers are encouraged to find vulnerabilities in currently active Samsung Mobile services, as well as in applications developed and signed by Samsung Mobile that are up-to-date with the latest update. As for the vulnerabilities on 3rd party applications, Samsung demands that they are specific to Samsung Mobile devices, applications or services.
Samsung also notes that it accepts vulnerability reports impacting Galaxy S series, Galaxy Note series, Galaxy A series, Galaxy J series, and Galaxy Tab series devices. Interested security researchers are encouraged to read the requirements and guidelines Samsung has published for the program.
“We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports. Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile,” Samsung says.