Samsung is the latest company that launches a bug bounty program, with the South Koreans paying as much as $200,000 to whoever discovers a critical software vulnerability that would make it possible to compromise one of its devices.
The found vulnerabilities must affect Samsung Mobile devices, services, applications developed and signed by Samsung or third-party companies that are specifically developed for Samsung. All devices need to be fully up-to-date and the impacted services must be currently active.
The list of devices includes the most recent models, like the S8, S7, and Note 8, but also older models released in 2016, like the J3 and the A5. The Samsung Galaxy S6 is also included in the program.
“We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports,” Samsung says.
“Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile.”
Bounties start at $200
If you somehow discover a way to breach a Samsung device without physical connection to it, then Samsung isn’t offering a reward, though it’s pretty clear that such a flaw would obviously expose user data as well. Also, Samsung says that it won’t pay rewards for flaws that lead to an app crash without an exploit.
Of course, you’re not supposed to make the vulnerabilities that you discover public, but report them privately to Samsung, which will then inspect the findings and decide whether it should issue a payment or not. This is something that all the other companies require, especially because critical vulnerabilities need to remain private until a fix is developed.