|Samsung Bug Bounty Program|
|Written by Lucy Black|
|Thursday, 14 September 2017|
Samsung has announced a Mobile Security Rewards Program with rewards of up to $200,000 on offer for discovering and reporting vulnerabilities in its mobile devices and services.
The bug bounty program covers all Samsung’s Galaxy mobile devices that are currently receiving monthly and quarterly security update which gives a total of 38 devices,although this my vary by region. It also extends to Samsung Mobile Services, including Bixby, Samsung Account, Samsung Pay and Samsung Pass.
According to the press release from Samsung the Mobile Security Rewards Program is being introduced after a pilot was launched in January 2016 to:
ensure an efficient and productive public introduction to the broader security community.
The vulnerabilities assigned by Samsung to four levels of severity Critical, High, Moderate and Low are very similar to those in Google's Android Security Program.
Google offers up to $200,000 for a report that includes an exploit leading to TEE (TrustZone) compromise. A similar sum was billed as the top reward on offer from Apple when it lauched an invitation-only bounty program last year.
The cash on offer from Samsung seems to be equivalent and like Google and Apple the amount of payment for any bug reported is at the discretion of the the company. Samsung states:
Depending on the severity level of the vulnerability, the rewards amount will range between USD $200 and USD $200,000 for qualified Reports. Please understand that no reward will be given to Reports with No Security Impact.
and also stipulates that security risk and impact of a reported bug:
will be decided by Samsung's internal evaluation in its sole discretion.
The other conditions that need to be borne in mind are:
If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.
Higher rewards amount will be offered for vulnerabilities with greater security risk and impact, and even higher rewards amount will be offered for vulnerabilities that lead to TEE or Bootloader compromise. On the other hand, rewards amount may be significantly reduced if the security vulnerability requires running as a privileged process.
Having another bounty program sounds like good news for security researchers and also for end users of Galaxy devices who can be more confident that their phones are less likely to pose dangerous security risks.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 14 September 2017 )|