Samsung has launched a new program to detect security vulnerabilities in its mobile devices and encourage people to report them.
The rewards for local random execution are around $300,000, while remote code execution (RCE) offers a reward of $1,000,000.
Through the Important Scenario Vulnerability Program (ISVP), people are looking for exploits related to unlocking devices, extracting data, and bypassing device security.
Money money money
For Samsung’s Rich OS, local code execution errors yield $150,000, and RCEs reach a maximum payout of $300,000. Reports of successful data extraction on the first unlock yield a reward of $400,000, dropping to $200,000 if extraction is achieved after the first unlock.
The maximum rewards require the vulnerability to be persistent and 0-click. Other lower-payout rewards include arbitrary remote installation of applications from an unofficial marketplace or attacker server, which yields a $100,000 reward and $60,000 if installed from the Galaxy Store.
To be considered a successful report, the vulnerabilities must present a buildable exploit that works consistently without privileges on major Samsung device models running the latest security update.
Samsung too revealed it paid out $827,925 as part of its 2023 bug bounty program, with 113 security researchers participating in the Mobile Security Rewards Program. To date, all of Samsung’s bug bounty programs since 2017 have paid out more than $4.9 million.
Through BleepingComputer