158418769 © Tero Vesalainen | Dreamstime.com
6765cc51517b2b7634330986 Dreamstime S 158418769

Mobile Security Vulnerability Reports Wanted

Dec. 23, 2024
To foster more industry collaboration, Samsung is offering up to $1 million to organizations that come forward with information about mobile security breaches.

Tearing down the walls that exist down between organizations and getting everyone collaborating and working toward similar goals isn’t ever easy. After all, companies by their very nature are built to compete, protect their own proprietary information and safeguard market share. Samsung Electronics understands this, but the manufacturer also knows that fostering collaboration within the cybersecurity community is crucial for tackling the ever-evolving threat landscape. 

To entice participation in its new-and-improved Mobile Security Rewards Program, Samsung increased the maximum reward amount to $1 million for eligible security vulnerability reports received from the external security community. 

The company says this is part of its ongoing efforts to “foster transparency and increased collaboration in mobile security.” It also just released a security-focused Annual Rewards Program Report, which highlights the Mobile Security Rewards Program’s progress since its initial launch in 2017. 

The program awarded more than $800,000 to 113 researchers in 2023 alone, with a total of more than $4 million in rewards being paid out to global security experts. “With cybersecurity attacks becoming increasingly intelligent and more challenging to identify, we actively encourage participation from the security community in finding these threats,” Samsung’s Justin Choi said in a press release.  

“Their support helps us to ensure our products are continuously monitored for potential vulnerabilities, enabling us to constantly enhance the protection of our customers,” Choi continued. “It is critically important that this protection is provided and that user data and information are safeguarded, which is why we prioritize security throughout all our products and services.”

Adapting to Emerging Risks

By collaborating with a wide range of global experts—including cybersecurity researchers, ethical hackers and independent security professionals—Samsung’s program helps identify and address vulnerabilities. The program centers on attack scenarios and vulnerabilities like arbitrary code execution on highly privileged targets; device unlock and full user data extraction; arbitrary application installations; and bypass of device protection solutions. 

“Partnering with the security community not only reinforces [our] dedication toward a transparent, collaborative framework that continuously adapts to emerging risks,” the manufacturer says, “but also speeds up the detection and resolution of these potential critical threats.”

Samsung’s program assigns severity levels based on security risk and impact across five categories: Critical, high, moderate, low and ineligible or less-than-low security impact. This framework provides guidance for both participants and the broader security community, and offers a structured framework for vulnerability reporting.  

Samsung says the program covers all of its mobile devices that are currently receiving monthly, quarterly and biannual security updates. In addition, the program will reward eligible submissions for potential vulnerabilities in the latest Samsung Galaxy services, including Bixby, Samsung Account and Samsung Wallet.

Who Gets What?

Reward sizes vary based on the work involved and the vulnerability in question. According to TechRadar, rewards for local arbitrary execution are about $300,000, while remote code execution (RCE) may see the larger reward size of up to $1 million. “The ‘Important Scenario Vulnerability Program (ISVP)’ will have people searching for exploits related to device unlocking, data extraction, and device protection bypass,” it says. 

The maximum rewards require the vulnerability to be persistent and zero-click. Other rewards with a lower payout include remote arbitrary application installation from an unofficial marketplace or attacker server which will see a $100,000 reward, and $60,000 if installed from the Galaxy Store.

“To qualify as a successful report, the vulnerabilities must be a buildable exploit that works without privileges consistently on Samsung’s main device models running the latest security update,” TechRadar adds.

About the Author

Bridget McCrea | Contributing Writer | Supply Chain Connect

Bridget McCrea is a freelance writer who covers business and technology for various publications.

Voice your opinion!

To join the conversation, and become an exclusive member of Supply Chain Connect, create an account today!