Samsung’s new program looks to report and solve major issues with its software that can become a problem for the end users.
Want to earn millions and help companies find issues in their software? Well, that’s what Samsung is offering for bug hunters. The company has come out with a new bug bounty programme where it will award significant prizes to researchers who spot security flaws and vulnerabilities in the company’s software as a part of its Mobile Security Program.
As per a blog post by Samsung, security researchers as well as others can mint money by finding different types of security flaws and vulnerabilities related to Arbitrary Code Execution on privileged targets in their system. This includes things like data extraction, unlocking devices, executing arbitrary application installation, or bypassing the device’s security.
Depending on the severity of the vulnerability and the project’s importance, the company has increased the rewards of the bug bounty program to a million dollars. The top $1 million reward can be earned by hacking the latest Knox Vault and executing a remote code in the hardware security system of the Samsung. Knox Vault is the company’s isolated secure environment for storing cryptographic keys and sensitive biometric information on mobile devices.
Other than these, a subsequent device unlocks after the first unlock will get them a bug bounty reward of $200,000 (Rs 1 crore approx). However, up to $400,000 will be awarded if anyone unlocks devices and extracts user data completely without the phone being unlocked earlier.
The reward gets bumped up to $60,000 ( Rs 50,000 approx) and $30,000 (Rs 25,000 approx) if researchers manage to install an application from the Galaxy Store remotely, while if ethical hackers install apps from sources other than the Galaxy Store, they could earn up to $100,000 and $50,000 (around Rs 4 lakhs).
The brand also says the report showcase a successful attack targeting important scenarios. Talking about the eligibility criteria, researchers must include an exploit that successfully targets one or more of the defined important scenarios to qualify for the Good Report Bonus. In addition to that, the exploit must be effective on the latest security updates of the latest flagship Galaxy Z and S series devices. It should be executable without needing elevated privileges.
Moreover, researchers must include the prefix [ISVP] in their report title to join the program when submitting through the rewards programme.
The tech giant also stated that it has paid nearly $5 million (Rs 36 crore) through the bug bounty program it launched in 2017.