Samsung has launched a groundbreaking new bug bounty initiative designed to significantly enhance the security of its mobile devices. The ‘Important Scenario Vulnerability Program’ (ISVP) offers substantial rewards for the discovery of critical vulnerabilities that could potentially compromise device security. The program promises up to $1,000,000 for reports detailing remote code execution (RCE) vulnerabilities on the Knox Vault, Samsung’s secure environment for sensitive data. This initiative is part of Samsung’s broader effort to strengthen its defenses against sophisticated cyber threats.
The ISVP focuses on vulnerabilities across several key areas, including Knox Vault, Trusted Execution Environment (TEEGRIS OS), and Rich OS. Rewards are tiered based on the severity and type of the vulnerability. For example, local arbitrary code execution on Knox Vault earns $300,000, while RCE vulnerabilities on the same platform can secure a maximum reward of $1,000,000. Similarly, vulnerabilities affecting TEEGRIS OS can earn up to $400,000 for RCE flaws. These substantial payouts reflect Samsung’s commitment to encouraging researchers to identify and report critical security issues.
Additionally, the program offers rewards for other significant security scenarios, including device unlocks combined with data extraction, which can earn up to $400,000. Remote arbitrary application installation from unofficial sources or attacker-controlled servers is also highly rewarded, with payouts up to $100,000. Samsung has set strict requirements for claiming these rewards, including the need for a buildable exploit that works without privileges on the latest security updates for flagship models like the Galaxy S and Z series.
The launch of the ISVP follows Samsung’s previous success with its Mobile Security Rewards Program, through which the company paid out over $4.9 million in bug bounty rewards since its inception in 2017. In 2023 alone, Samsung awarded $827,925 to 113 security researchers. With the ISVP, Samsung aims to surpass these figures and set new records in security rewards, further reinforcing its dedication to safeguarding its devices and enhancing overall mobile security.
Reference:
