Samsung Introduces a $200,000 Bounty Program for Hackers
The South Korean technology giant Samsung is the next company to launch a bounty program for white-hat hackers who report critical security flaws found in any of its software products. The program is called Samsung Mobile Security Rewards Program and anyone who discovers an eligible vulnerability that can be exploited to compromise a Samsung device could receive up to $200.000.
Reported vulnerabilities will be classified in 4 different levels of severity according to their security risk and impact. This assigning of a flaw to a particular category will be done exclusively at the company's discretion after its research team has done an appropriate internal evaluation. Thus, depending on the vulnerability's risk and impact, the bounties which the company offers start at $200, however, there are certain conditions that could reduce the amount of the reward. Such cases could be, for example, if the report does not contain a valid Proof-of-Concept, or if the security flaw requires running as a privileged process. Participants will have no claims for the decisions of the company, neither concerning the qualification of the report for the bounty program, nor the level of severity to which the report has been assigned.
Reported vulnerabilities must allow compromising certain listed Samsung mobile devices and must concern services and applications developed and signed by Samsung Mobile, but also certain third-party apps developed exclusively for Samsung. Therefore, vulnerabilities discovered in third-party codes which affect all Android devices are not eligible to receive a reward. Furthermore, security flaws that affect Android devices that are covered by other bounty programs of other manufacturers or software developers cannot qualify for Samsung's reward program as well.
All requirements that should be met for the reward to be paid are listed on the company's official announcement. Among the most important ones is that the vulnerability should not require physical access to the target device with a developer-level debugging tool. Not eligible will also be flaws that need "excessive" user interaction and rely on phishing and clickjacking techniques to conduct a successful attack, as well as flaws that result only in the crash of applications. Excluded from the program are also exploits that have a very low chance of getting used by attackers. Samsung will also not consider reports that simply mentions the possibility of SQL or MITM attacks without presenting an actual working exploit.
The list of devices that the bounty program applies to include almost all models of Samsung mobile products, like Galaxy J and S series, Galaxy Tab series, and Galaxy Note series. All applications must be updated to the latest available version, while the applicable mobile services must be currently active. Lastly, all reports must be sent directly to Samsung, and participants should not make public any discovered vulnerabilities, which is a typical requirement of all similar bounty programs.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.