Samsung launches bug bounty program for mobile devices

Researchers can earn up to $200,000 for disclosing bugs impacting the security of your handsets.
Written by Charlie Osborne, Contributing Writer
Sarah Tew | CNET

Samsung has launched a bug bounty program to find and neutralize bugs impacting the firm's mobile platform.

On Wednesday, the company said the new scheme focuses on mobile devices and their firmware, including the Galaxy S series, the Note series, Galaxy A and J product lines, and the Galaxy Tab.

In total, 38 mobile devices have been included in the bug bounty, ranging from low-end to premium mobile devices manufactured by the South Korean electronics giant.

Researchers interested in finding vulnerabilities must test active devices which are up-to-date with the latest firmware and security patches, and vulnerabilities on third-party applications used to exploit bugs must be specific to Samsung Mobile devices, applications, or services.

Vulnerabilities have been categorized into four sections; critical, high, moderate, and low, and based on the severity of bug reports, rewards will range from between $200 and $200,000.

Critical issues include code execution, remote crashing, and device bricking, Secure Boot bypass, and the remote bypass of user interaction requires on package installations or similar activities.

Bugs classified as of "high" importance include remote code execution without privileges, unauthorized access to data secured by the TEE, local permanent denial-of-service, and the general bypass of operating system protections.

The highest rewards are reserved for reports with working Proof-of-Concept (PoC) codes included, and "even higher" amounts will be issued for bugs leading to the compromise of the Trusted Execution Environment (TEE) or mobile Bootloaders.

"We look forward to your continued interests and participations in our Samsung Mobile Security Rewards Program," Samsung says. "Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile."

When duplicate reports are received, only the first one is eligible for a reward, according to Samsung.

In addition, reports of bugs which have "no security impact," those which need physical access and developer debugging tools such as ADB, vulnerabilities covered by other programs -- such as Android Rewards or Qualcomm's bug bounty scheme -- and reports based on security flaws which are already public will not result in any rewards.

Samsung also says that bugs "excessive user interaction," phishing, clickjacking, or cases when "the probability of exploit is very low" are not reports Samsung wants to see.

See also: Cash isn't everything when bug bounties compete with the black market

Samsung asks for bug reports to be made privately and for them not to be publicly disclosed at the time of submissions, and promises to respond to triage the issue within 48 hours with a "best effort" pledge of fixing problems within 90 days.

Previous and related coverage

    Samsung and Charter trialing 5G across the US

    In addition to its 5G trial partnerships with Verizon and T-Mobile, Samsung will be conducting tests across the US with incoming Time Warner Cable-owner and incoming MVNO Charter Communications.

    Intel, Microsoft launch new bug bounty programs

    Intel has finally joined the bug bounty game with financial rewards on offer up to $30,000.

    Apple iPhone vs Samsung Galaxy models: Specs, prices, and features compared

    For those more interested in specifications than flashy marketing, look at this.

      10 things you didn't know about the Dark Web

      Editorial standards