Samsung's bug bounty program will pay rewards of up to $200,000

-


With the growing number of cyber attacks and data breaches, a number of tech companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.

Samsung is the latest in the list of tech companies to launch a bug bounty program, announcing that the South Korean electronics giant will offer rewards of up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software.

Dubbed Mobile Security Rewards Program, the newly-launched bug bounty program will cover 38 Samsung mobile devices released from 2016 onwards which currently receive monthly or quarterly security updates from the company.

Conditions for rewards qualification:
  1. 1. Security vulnerability report ("Report") must be applicable to eligible Samsung Mobile devices, services, applications developed and signed by Samsung Mobile, or eligible third party applications developed for Samsung.
    • Eligible Samsung Mobile Devices in their latest available Android version and firmware:
      Galaxy S series (S8, S8+, S8 Active, S7, S7 edge, S7 Active, S6 edge+, S6, S6 edge, S6 Active)
      Galaxy Note series (Note 8, Note FE, Note 5, Note 4, Note edge)
      Galaxy A series (A3 (2016), A3 (2017), A5 (2016), A5 (2017), A7 (2017))
      Galaxy J series (J1 (2016), J1 Mini, J1 Mini Prime, J1 Ace, J2 (2016), J3 (2016), J3 (2017), J3 Pro, J3 Pop, J5 (2016), J5 (2017), J7 (2016), J7 (2017), J7 Max, J7 Neo, J7 Pop)
      Galaxy Tab series (Tab S2 L Refresh, Tab S3 9.7)
    • Applicable Samsung Mobile services must be currently active.
    • Applications developed and signed by Samsung Mobile must be up-to-date with the latest update.
    • Vulnerabilities on 3rd party applications must be specific to Samsung Mobile devices, applications or services.
  2. 2. In case of receiving duplicate Reports of a specific vulnerability, only the first Report is eligible for a reward.
  3. 3. Reports related to the following categories are not eligible:
    • Software bugs that have no security impact
    • Require physical connection to the device with developer-level debugging tool including but not limited to ADB
    • Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit
    • Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking
    • Exploit is based on a complex scenario or the probability of exploit is very low
    • Vulnerability of a 3rd party code that affects not only Samsung devices but also other Android devices
    • Vulnerabilities (affecting Samsung as well as other Android devices) that are covered by other bug bounty programs (Android Rewards, Qualcomm Bug Bounty, etc.) do not qualify
    • Reports from people employed by Samsung and its affiliates, partners, or families of people employed by Samsung
    • Reports based on information taken or obtained through illegal access of Samsung Confidential information
    • Reports based on information that is already public
    • Scenarios that can be mitigated if secure lock (PIN, Pattern, Password, or Biometric) authentication is enforced
    • If Participant discloses any contents or information included in its Report before receiving the rewards or before receiving the disqualification notice from Samsung.
  4. 4. Samsung Mobile Security Rewards Program("rewards program") is operated by Samsung Mobile and offers monetary rewards to eligible participants in order to improve the security of Samsung Mobile products and services. Thus, the process of the rewards program from start to payout, the decision of severity level and reward amount, and terms and conditions, will be entirely determined and governed by Samsung. The policy, guidelines, qualification requirements and eligibility requirements for the rewards program may change without advanced notice. We may also stop the rewards program at any time.Participants acknowledge and agree that the submitted Report will not be returned to the participant and regardless of receiving any rewards for the Report, any information and contents in the Report may be used by Samsung Mobile to enhance the security of its products.
  5. 5. Participation in the rewards program and reporting to Samsung Mobile shall not involve any illegal activities:
    • Samsung Mobile services shall not be interrupted and the reporting shall not attack any Samsung internal or external servers, nor cause damage of data or physical assets.
    • Participation in the rewards program or reporting to Samsung Mobile shall not violate any applicable laws and regulations, or infringe any third party rights (including intellectual property rights).
  6. 6. Samsung will decide in its sole discretion: (Participants shall not claim for any decisions made by Samsung)
    • Whether the Report qualifies for the rewards program
    • Which level of security risk ("severity") would be assigned to each Report
    • The final rewards amount
  7. 7. Reported vulnerability shall not be published or disclosed in public until agreed and approved by Samsung Mobile.
  8. 8. Residents from countries sanctioned by the government of South Korea are not eligible for the rewards program.
  9. 9. Depending on your local law, there may be additional restrictions on your eligibility to participate the rewards program.
  10. 10. You acknowledge and agree that the Reports may be shared with our partners.
Rewards amount and process
  1. 1. The severity is classified to 4 levels (Critical, High, Moderate, and Low) depending on the security risk and impact, and it will be decided by Samsung's internal evaluation in its sole discretion.
  2. 2. Depending on the severity level of the vulnerability, the rewards amount will range between USD $200 and USD $200,000 for qualified Reports. Please understand that no reward will be given to Reports with No Security Impact.
  3. 3. If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.
  4. 4. Higher rewards amount will be offered for vulnerabilities with greater security risk and impact, and even higher rewards amount will be offered for vulnerabilities that lead to TEE or Bootloader compromise. On the other hand, rewards amount may be significantly reduced if the security vulnerability requires running as a privileged process.
  5. 5. You are responsible for any tax implications depending on your country of residency and citizenship. Withholding tax may be deducted from the monetary reward in accordance to the laws of applicable jurisdiction and the tax rate may differ by applicable countries.
  6. 6. The process and guidelines for the rewards program are as follows :
    • Participant submits vulnerability Report via Security Reporting page ⇒ Samsung Mobile performs internal evaluation of the vulnerability Report and confirms with assigned severity level, if valid ⇒ Samsung Mobile prepares remedy (the relevant security patch for the reported vulnerability) ⇒ If qualified, participants will be notified with rewards amount ⇒ Rewards payout may be processed by Samsung Mobile or a third party designated by Samsung Mobile depending on the location of the participant or any other factors.
    • When communicating with our internal bounty team, please use our public PGP key (Fingerprint: F5F3 8EEC 4388 E4E2 9184 78BD BA2D 9A24 CD38 64BE) to secure private and personal information.
    • This rewards program process will be terminated if the Report or participant's handling of the vulnerability does not qualify all requirements and any other necessary conditions.
    • Once the rewards program is initiated, it may take up to 2 months or more until the reward is paid out assuming the required documents are prepared with completeness and submitted on time.

Comments

Post a Comment

Popular posts from this blog

How to Repair Kali Linux grub after installing Windows in Dual boot System

-
Image
If your System has primary OS Windows then you install your secondary OS Kali Linux. That will be OK, Kali Linux puts boot entry of Windows automatically for you. At initial boot menu you can see both OS entry to boot. If your windows is corrupt in dual boot system or if you want to install windows as secondary OS after installing Kali Linux as primary OS. You may face corrupt boot-loader menu. You wont be able to boot Kali Linux any more because Windows wont put entry of Kali Linux automatically in their boot menu. So this post motive is to help those guys which are facing those problems subjecting to corrupt Boot-loader. There are mainly two methods: 1. Repair Grub via Kali Linux live USB. 2. Repair Grub Via Boot-rapair-disk. Method 1# Repair Grub via Kali Linux live USB It is up to you which you want to choose but if you are Linux familiar then go for this method. Requirements 1. A Kali Linux ISO image. You can download here: Download Kali Linux
Read more

PDFCrack - Password Cracking Tool for PDF-files

-
Image
PDFcrack is a GNU/Linux tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line. For installing pdfcrack open a terminal and enter apt install pdfcrack Syntax and options Usage: pdfcrack -f filename [OPTIONS]           : pdfcrack -f filenmae -w passwordfile.txt OPTIONS : -b, --bench perform benchmark and exit -c, --charset=STRING Use the characters in STRING as charset -w, --wordlist=FILE Use FILE as source of passwords to try -n, --minpw=INTEGER Skip trying passwords shorter than this -m, --maxpw=INTEGER Stop when reaching this passwordlength -l, --loadState=FILE Continue from the state saved in FILENAME -o, --owner Work with the ownerpassword -u, --user Work with the userpassword (default) -p, --password=STRING Give userpassword to speed up breaking ownerpassword (implies -o) -q, --quiet Run quietly -s,
Read more

Avet – Open Source Anti-Virus Evasion Tool

-
Image
When we want to perform an exploitation to a windows target, we need a payload that is undetectable to Antivirus Solutions. Msfvenom on its own is not enough. So we need an AV evasion tool to make this easy for us. Avet is a tool for building exe files with shellcode payloads for antivirus evasion. Installing Avet First clone the repository to our machine. git clone https://github.com/govolution/avet.git   After that go inside the folder and run the setup file to install wine and other missing components. cd avet/       Run the setup file to install the missing components.   ./setup.sh     Select create  for new installation   Running Avet There are two ways to run avet. Run avet by typing the command below. python avet_fabric.py   There are two ways to run avet. Either by compiling the make_avet script as shown below, or by  running the avet_fabric.py script, as shown. gcc -0 make_avet make_avet.c
Read more