Samsung offers up to $200,000 for bugs in its devices, services

South Korean giant Samsung Electronics is now offering bounties for reported bugs in its mobile devices, software and services.

“The rewards program kicked off with a pilot in January 2016 to ensure an efficient and productive public introduction to the broader security community,” the company explained. “Samsung’s Mobile Security Rewards program is the latest initiative to demonstrate the company’s steadfast commitment to enabling secure experiences for all its customers.”

Samsung bug bounty

What’s in scope?

Researchers are instructed to search for vulnerabilities in:

  • Active Samsung Mobile services, including Bixby, Samsung Account, Samsung Pay and Samsung Pass
  • All Samsung mobile devices currently receiving monthly and quarterly security updates (Galaxy S, Galaxy Note, Galaxy A, Galaxy J, and Galaxy Tab series of devices)
  • Applications developed and signed by Samsung Mobile, as well as third party applications specific to Samsung Mobile devices, applications or services.

“Depending on the severity level of the vulnerability, the rewards amount will range between USD $200 and USD $200,000 for qualified reports,” the company noted, and pointed out that smaller rewards will be given for reports that don’t include valid Proof-of-Concept, and no reward will be given to reports with no security impact.

Samsung bug bounty

The list of bug categories also not eligible for rewards includes, among others, those involving scenarios requiring excessive user interaction, complex scenarios that make it unlikely that the flaw will be exploited, and bugs that require physical connection to the device with developer-level debugging tools.

“Higher rewards amount will be offered for vulnerabilities with greater security risk and impact, and even higher rewards amount will be offered for vulnerabilities that lead to TEE or Bootloader compromise. On the other hand, rewards amount may be significantly reduced if the security vulnerability requires running as a privileged process,” they added.

The company promises to respond to reports in 48 hours, and make their “best effort to resolve security vulnerabilities, and release patches to end-consumers within 90 days.”

More information about the program can be had here.