Samsung has significantly increased its bug bounty program as part of its ongoing efforts to enhance mobile security.
The tech giant is now offering rewards of up to $1 million for researchers who can demonstrate critical vulnerabilities in its mobile devices, particularly those related to arbitrary code execution on highly privileged targets.
This new initiative, part of Samsung’s Important Scenario Vulnerability Program (ISVP), focuses on vulnerabilities that could significantly impact their products. The program specifically targets the following critical scenarios:
- Arbitrary code execution on privileged targets.
- Device unlocking and full user data extraction.
- Arbitrary application installation.
- Bypass of device protection solutions.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
The highest reward of $1 million is reserved for remote arbitrary code execution vulnerabilities targeting Knox Vault, Samsung’s secure environment for storing sensitive data. Other notable rewards include:
- Up to $400,000 for remote code execution on TEEGRIS OS.
- Up to $300,000 for remote code execution on Rich OS.
- Up to $400,000 for device unlock and full user data extraction before first unlock.
To qualify for these top-tier rewards, researchers must meet several criteria:
- The report must fully satisfy the Good Report Bonus requirements.
- Include a buildable exploit demonstrating a successful attack on one or more Important Scenarios.
- The exploit must work consistently on the latest security update of the latest flagship devices (Galaxy S and Z series).
- The exploit should be executable without privileges.
Samsung’s increased bounties reflect mobile security’s growing importance in an era of increasingly sophisticated cyber threats. Samsung encourages security researchers to find and report critical vulnerabilities, aiming to prevent potential attacks and protect users’ data.
This move aligns with Samsung’s long-standing commitment to mobile security. The company has been running its Mobile Security Rewards Program since 2016, continuously updating it to cover new devices and services.
The program now encompasses 38 Samsung mobile devices that receive monthly and quarterly security updates and various Samsung Mobile Services like Bixby, Samsung Account, Samsung Pay, and Samsung Pass.
By significantly increasing the potential rewards, Samsung is not only attracting more security researchers to detect vulnerabilities in its products but also showing its commitment to maintaining high standards of security for mobile devices in an increasingly complex digital world.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide