Story image

Samsung Mobile launches bug bounty program

13 Sep 2017

Samsung is the latest vendor to jump into the world of bug bounties through the launch of Samsung Mobile Products Rewards Program.

The program covers vulnerabilities on Samsung Mobile devices, services and applications developed by Samsung, as well as eligible third party apps specifically designed for Samsung. It does not cover vulnerabilities that could be found on other Android devices.

“Samsung is officially launching our Mobile Security Rewards Program, a new vulnerability rewards program which invites members of the security community to assess the integrity of Samsung’s mobile devices and associated software to identify potential vulnerabilities in those products,” Samsung says in a statement.

Rewards range from US$200 to $200,000 depending on how severe the discovered vulnerability is.

If the vulnerability report does not include a proof of concept, reward amounts may be reduced although the vulnerability will still be considered.

“Higher rewards amount will be offered for vulnerabilities with greater security risk and impact, and even higher rewards amount will be offered for vulnerabilities that lead to TEE or Bootloader compromise. On the other hand, rewards amount may be significantly reduced if the security vulnerability requires running as a privileged process,” the rules state.

Participants must not conduct any illegal activities, attack any Samsung servers, damage data or physical assets, or infringe any third party rights.

Eligible devices include:

- Galaxy S series (S8, S8+, S8 Active, S7, S7 edge, S7 Active, S6 edge+, S6, S6 edge, S6 Active)  - Galaxy Note series (Note 8, Note FE, Note 5, Note 4, Note edge) - Galaxy A series (A3 (2016), A3 (2017), A5 (2016), A5 (2017), A7 (2017)) - Galaxy J series (J1 (2016), J1 Mini, J1 Mini Prime, J1 Ace, J2 (2016), J3 (2016), J3 (2017), J3 Pro, J3 Pop, J5 (2016), J5 (2017), J7 (2016), J7 (2017), J7 Max, J7 Neo, J7 Pop) - Galaxy Tab series (Tab S2 L Refresh, Tab S3 9.7)

Researchers who discover any vulnerabilities must be the first to report it if they want to qualify for the reward.

Furthermore, bugs that: have no security impact; a ‘very low’ exploit probability; must not involve extensive user involvement like clickjacking or phishing; result in a crash without an exploit or are up for grabs in other bounty programs do not count.

Participants must submit reports by Samsung Mobile’s security reporting page.

“Samsung’s Mobile Security Rewards program is the latest initiative to demonstrate our steadfast commitment to working in close partnership with the security research community and enabling secure experiences for all our customers,” Samsung concludes.

Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
NZ ISPs issue open letter to social media giants to discuss censorship
Content sharing platforms have a duty of care to proactively monitor for harmful content, act expeditiously to remove content which is flagged to them as illegal.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Bitdefender invests in A/NZ with new offices and regional director
Bitdefender has opened its Partner Advantage Network (PAN) programme with the aim of recruiting and supporting its over 500 local resellers.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Online attackers abusing Kiwis' generosity in wake of Chch tragedy
It doesn’t take some people long to abuse people’s kindness and generosity in a time of mourning.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.