Security researchers now have another lucrative opportunity to win hefty payouts for their bug findings. Samsung has announced a separate bug bounty program for its flagship mobile phones, which typically focuses on ‘Important Scenarios’ for Galaxy devices.
New Bug Bounty Program Focuses On ‘Important Scenarios’ For Samsung Galaxy Devices
As announced recently, Samsung has launched a new reward program named the ‘Important Scenario Vulnerability Program.’
As the name suggests, this bug bounty program is separate from the existing reward program for mobile devices. It typically focuses on specific scenarios that Samsung deems important for its Galaxy devices.
Specifically, Samsung listed three important features for its Galaxy devices in its post. Any severe security vulnerabilities impacting these three aspects would make the researcher eligible to participate in this program. These include,
- Knox Vault: A hardware-based secure vault in Samsung devices that allows users to safely store sensitive information, such as passwords, biometric data and crypto keys. This dedicated security chip protects the stored data from threats like side-channel attacks, tampering, probing, and fault injection attacks.
- TEEGRIS OS: A system-wide security solution that executes applications in the TrustZone-based trusted execution environment.
- Rich OS: The primary operating system on Samsung devices, powered by Samsung’s Knox Vault, where user apps are installed.
Samsung has set the highest bug bounties (listed below) based on the type of arbitrary code execution vulnerability (local or remote) affecting these three components.
| Target | Local ACE | Remote ACE |
| Knox Vault | ~ $ 300,000 | ~ $ 1,000,000 |
| TEEGRIS OS | ~ $ 200,000 | ~ $ 400,000 |
| Rich OS | ~ $ 150,000 | ~ $ 300,000 |
Regarding the eligibility factors, Samsung explained that good reports with buildable exploits against the mentioned Important Scenarios are eligible. In addition, the exploits should work against the latest flagship Galaxy Z and Galaxy S series device security updates and execute without privileges.
Samsung also announced other scenarios where the researchers could earn lucrative bug bounties. These include,
- Device Unlock & Full User Data Extraction: $200,000 to $400,000
- Arbitrary application installation from Galaxy Store: $30,000 to $60,000
- Other arbitrary app installation: $50,000 to $100,000
- Auto Blocker bypass: $100,000
Let us know your thoughts in the comments.
