close

Samsung Mobile Security and Cookies

Our site uses essential cookies only. You can read our Privacy Policy and Cookie Policy for more information.

close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text
Home>Rewards Program>How it works

Rewards Program

We appreciate your interest and intention to help improve the security of Samsung Mobile products.

We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports.

Please check below for more information on guidelines and eligibility for Samsung Mobile Security Rewards Program.

We look forward to your continued interests and participations in our Samsung Mobile Security Rewards Program. Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile.

To ensure smooth and timely operation, please make sure you carefully read and fully understand the requirements and guidelines below before submitting security reports for the rewards program.

Please refer to the Security Reporting page for submitting security reports.

Conditions for rewards qualification:
  1. 1. Security vulnerability report ("Report") must be applicable to eligible Samsung Mobile devices (including smartphones, tablets and wearable devices listed below), services, applications developed and signed by Samsung Mobile, or eligible 3rd party applications developed for Samsung Mobile.
    • Eligible Samsung Mobile Devices in their latest available Android version and firmware:

      Galaxy Fold, Galaxy Fold 5G, Galaxy Z Fold2, Galaxy Z Fold2 5G, Galaxy Z Fold3 5G, Galaxy Z Fold4, Galaxy Z Fold5, Galaxy Z Flip, Galaxy Z Flip 5G, Galaxy Z Flip3 5G, Galaxy Z Flip4, Galaxy Z Flip5, W20 5G, W21 5G, W22 5G, W23, W23 flip

      Galaxy S series (S10 Lite, S20, S20 5G, S20+, S20+ 5G, S20 Ultra, S20 Ultra 5G, S20 FE, S20 FE 5G, S21 5G, S21+ 5G, S21 Ultra 5G, S21 FE 5G, S22, S22+, S22 Ultra, S23, S23+, S23 Ultra)

      Galaxy Note series (Note10 Lite, Note20, Note20 5G, Note20 Ultra, Note20 Ultra 5G)

      Galaxy A series (A20s, A30s, A50s, A70s, A90 5G, A01, A11, A21, A21s, A31, A41, A51, A51 5G, A71, A71 5G, A02, A02s, A12, A22, A22 5G, A22e 5G, A32, A32 5G, A42 5G, A52, A52 5G, A52s 5G, A72, A82 5G, A03, A03 core, A03s, A13, A13 5G, A23, A23 5G, A33 5G, A53 5G, A73 5G, A04, A04s, A04e, A14, A14 5G, A24, A34 5G, A54 5G)

      Galaxy M series (M10s, M30s, M01, M11, M21, M21 2021, M31, M31s, M51, M12, M22, M32, M32 5G, M42 5G, M52 5G, M62, M13, M13 5G, M23 5G, M33 5G, M53 5G, M04, M14 5G, M34 5G, M54 5G)

      Galaxy F series (F12, F22, F42 5G, F52 5G, F62, F13, F04, F14 5G, F34 5G, F54 5G)

      Galaxy Tab series (Tab Active Pro, Tab Active3, Tab Active4 Pro, Tab A 8.4 (2020), Tab A7, Tab A7 Lite, Tab A8, Tab S6, Tab S6 5G, Tab S6 Lite, Tab S7, Tab S7+, Tab S7 Lite, Tab S8, Tab S8+, Tab S8 Ultra, Tab S9 Ultra, Tab S9 Plus, Tab S9)

      Galaxy XCover series (Xcover Pro, Xcover5, Xcover6 Pro)

      Galaxy Watch4, Galaxy Watch4 Classic, Galaxy Watch5, Galaxy Watch5 Pro, Galaxy Watch6, Galaxy Watch6 Classic
    • Applicable Samsung Mobile services must be currently active. Vulnerabilities in services offered by other divisions of Samsung may not be eligible for a reward.
    • Applications developed and signed by Samsung Mobile must be up-to-date with the latest update.
    • Vulnerabilities in 3rd party software, in general, are not eligible for a reward.
  2. 2. In case of receiving duplicate Reports of a specific vulnerability, only the first Report is eligible for a reward. In some cases, Reports may also be considered duplicate if the patch for the vulnerability is already planned for release.
  3. 3. Reports related to the following categories are not eligible:
    • Software bugs that have no security impact
    • A behavior of the software that is consistent with the security concept implemented by Samsung
    • Require excessive preconditions to exploit a vulnerability such as physical connection to the device with hacking tools
      (Vulnerabilities that assume unlocked device or device configured as Developer mode may be downgraded or considered No Security Impact.)
    • Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit
      (SQL injection with no practical security impact may be considered No Security Impact and thus possibly not eligible.)
    • Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking
    • Exploit is based on a complex scenario or the probability of exploit is very low
    • Vulnerability of a 3rd party code that affects not only Samsung devices but also other Android devices
    • Vulnerabilities (affecting Samsung as well as other Android devices) that are covered by other bug bounty programs (Android Rewards, Qualcomm Bug Bounty, etc.) do not qualify
    • Reports from people employed by Samsung and its affiliates, partners, or families of people employed by Samsung
    • Reports based on information taken or obtained through illegal access of Samsung Confidential information
    • Reports based on information that is already public
    • Scenarios that can be mitigated if secure lock (PIN, Pattern, Password, or Biometric) authentication is enforced
    • If Participant discloses any contents or information included in its Report before receiving the rewards or before receiving the disqualification notice from Samsung.
    • Reports not submitted through "ticketing system", but sent via direct email (mobile.security@samsung.com).
  4. 4. Samsung Mobile Security Rewards Program("rewards program") is operated by Samsung Mobile and offers monetary rewards to eligible participants in order to improve the security of Samsung Mobile products and services. Thus, the process of the rewards program from start to payout, the decision of severity level and reward amount, and terms and conditions, will be entirely determined and governed by Samsung. The policy, guidelines, qualification requirements and eligibility requirements for the rewards program may change without advanced notice. We may also stop the rewards program at any time.
  5. 5. Participation in the rewards program and reporting to Samsung Mobile shall not involve any illegal activities:
    • Samsung Mobile services must not be interrupted and the reporting must not attack any Samsung internal or external servers, nor cause damage of data or physical assets.
    • Participation in the rewards program or reporting to Samsung Mobile must not violate any applicable laws and regulations, or infringe any third party rights (including intellectual property rights).
  6. 6. While participants’ comments and justifications will be carefully considered, Samsung will decide in its sole discretion:
    • Whether the Report qualifies for the rewards program
    • Which level of security risk ("severity") would be assigned to each Report
    • The final rewards amount
  7. 7. For rewards eligibility, participants are asked not to publish or disclose the vulnerability in public until coordination with Samsung via communication at mobile.security@samsung.com
  8. 8. Reported vulnerability or related exploits shall not be used for any illegal activities.
  9. 9. Residents from countries sanctioned by the government of South Korea are not eligible for the rewards program.
  10. 10. Depending on your local law, there may be additional restrictions on your eligibility to participate the rewards program.
  11. 11. You acknowledge and agree that the Reports may be shared with our partners.
Rewards amount and process
  1. 1. The rewards amount will range between USD $200 and USD $200,000 for qualified Reports. Generally, higher severity issues, more rewards amount will be offered. However, to estimate the rewards amount, we consider various factors including severity level such as report quality, affected scope, difficulty of attacks, and so on. So, a lower severity issue well qualified can get more bounty than a higher severity issue. On the other hand, please understand that no reward will be given to Reports with No Security Impact. Also, Reports that merely describe a software bug or a behavior of a software that is consistent with the security concept implemented by Samsung will be considered as Working as Intended with No Security Impact.
  2. 2. If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.
  3. 3. Higher rewards amount will be offered for vulnerabilities with greater security risk and impact, and even higher rewards amount will be offered for vulnerabilities that lead to TEE or Bootloader compromise. On the other hand, rewards amount may be significantly reduced if the security vulnerability requires running as a privileged process.
  4. 4. You are responsible for any tax implications depending on your country of residency and citizenship. Withholding tax may be deducted from the monetary reward in accordance to the laws of applicable jurisdiction and the tax rate may differ by applicable countries.
  5. 5. For qualified Reports, rewards will be paid out through Samsung's designated partner Bugcrowd via payment processing and participants will be contacted by Bugcrowd during the process.
  6. 6. This rewards program process will be terminated if the Report or participant's handling of the vulnerability does not meet the qualification requirements or any other necessary conditions.
  7. 7. Once the rewards program process is initiated, it may take up to 2 months or more until the reward is paid out assuming the required documents are prepared with completeness and all required information are submitted on time.