Samsung today announced the launch of its inaugural Mobile Security Rewards Program, a new vulnerability rewards program which invites members of the security community to assess the integrity of Samsung’s mobile devices and associated software to identify potential vulnerabilities in those products.
By leveraging the skills and expertise of the security research community, Samsung will strengthen its ongoing commitment to providing customers with a secure mobile experience.
“As a leading provider of mobile devices and experiences, Samsung recognizes the importance of protecting users’ data and information, and prioritizes security in the development of each of its products and services,” said Injong Rhee Executive Vice President and Head of R&D, Software and Services of the Mobile Communications Business at Samsung Electronics.
“As part of our commitment to security, Samsung is proud to work in close partnership with the security research community to ensure that all of our products are monitored closely and continually for any potential vulnerabilities.”
Samsung’s Mobile Security Rewards program is the latest initiative to demonstrate the company’s steadfast commitment to enabling secure experiences for all its customers. The rewards program kicked off with a pilot in January 2016 to ensure an efficient and productive public introduction to the broader security community.
Additionally, since October 2015 Samsung has been releasing monthly security updates for its flagship devices. This industry-leading pace of updates would not be possible without the cooperation and assistance of security researchers across the globe.
Mobile Security Rewards Program Details
The program will cover all of Samsung’s mobile devices currently receiving monthly and quarterly security updates, a total of 38 devices. In addition, the program will reward submissions for potential vulnerabilities in the latest Samsung Mobile Services, including Bixby, Samsung Account, Samsung Pay and Samsung Pass, among others.
Dependent upon the severity of a given submission, as well as the researcher’s ability to provide proof of concept, Samsung will issue rewards of up to $200,000.
Rewards amount and process
- 1. The severity is classified to 4 levels (Critical, High, Moderate, and Low) depending on the security risk and impact, and it will be decided by Samsung’s internal evaluation in its sole discretion.
- 2. Depending on the severity level of the vulnerability, the rewards amount will range between USD $200 and USD $200,000 for qualified security reports. No reward will be given to reports with No Security Impact.
- 3. If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.
- 4. Higher rewards amount will be offered for vulnerabilities with greater security risk and impact, and even higher rewards amount will be offered for vulnerabilities that lead to TEE or Bootloader compromise. On the other hand, rewards amount may be significantly reduced if the security vulnerability requires running as a privileged process.
- 5. You are responsible for any tax implications depending on your country of residency and citizenship. Withholding tax may be deducted from the monetary reward in accordance to the laws of applicable jurisdiction and the tax rate may differ by applicable countries.
- 6. The process and guidelines for the rewards program are as follows :
- Reporter submits vulnerability report via Security Reporting page ⇒ Samsung team performs internal evaluation of vulnerability report and confirms with assigned severity level, if valid ⇒ Samsung team prepares remedy ⇒ If qualified, reporter is notified with rewards amount ⇒ Rewards payout is processed by Samsung internal bounty team or an external processing party depending on the location of reporter’s residence
- When communicating with the internal bounty team, please use Samsungs public PGP key (Fingerprint: F5F3 8EEC 4388 E4E2 9184 78BD BA2D 9A24 CD38 64BE) to secure private and personal information.
- This rewards program process will be terminated if the report or reporter’s handling of the vulnerability does not qualify all requirements and conditions as stated herein.
- Once the rewards program is initiated, it may take up to 2 months until the monetary reward is paid out assuming the required documents are prepared with completeness and submitted on time.