Security Post
Announcement
Annual Report in 2023 and New Announcements
Jasper Park, Lead of PSIRT at Samsung Mobile Security
06 Aug 2024
- It has been more than 6 years since we officially launched Samsung Mobile Security Rewards Program, and today, we are finally releasing our first ever "Annual Report" for the Rewards Program.
- Although there have been many challenges and difficulties in running our Rewards Program, with the help of numerous security experts and communities around the world, it has been able to run our Rewards Program.
- The program was started with the goal of securing our products by receiving vulnerabilities that were not detected internally with external security communities' help. As we received more and more reports, and analyzed and rolled out patches for them, our products became securer and safer. Thanks to the assistance from our valuable researchers.
- After running the program for several years, the Biggest Lesson Learned is that Researchers are my dear and grateful friends who take their time to look at our products from various perspectives and help make them secure and safe.
- I sincerely appreciate your help, 감사합니다!
- With the help of our friends, our Rewards Program has continued to evolve, and as part of it, I will summarize a review of the program in 2023.
Review of 2023
- Since starting our official Rewards Program in 2017, we have paid about $5 million. In 2023, we rewarded over $800,000 to 113 researchers.
-
- Rewarded $827,925 to 113 researchers
- The highest reward in one report was $57,190 by TASZK Security Labs.
- The researcher with the highest total reward was also TASZK Security Labs.
- The researcher with most reports was Oversecured Inc.
- Among all of dedicated my friends, there are two that deserve special appreciation.
-
- TASZK Security Labs who helped us from long time ago was a researcher whose report received the highest single reward in 2023. There impressive researches helped secure our products against potential remote attacks. Although Exynos Baseband related reports became out of scope with our program and his reports involved chains with baseband, resulting in a reduction of the overall reward, it was still TASZK Security Labs who received the highest total payout in 2023.
-
- Oversecured is one of our best friends, having submitted numerous valuable reports since their initial report with us back in 2021. In 2023, they reported the greatest number of valid reports. Their valuable researches have covered various targets including applications and frameworks, helping us towards securing diverse targets of and introducing novel types of vulnerabilities in our products. (they were also ranked as the top researcher who filed the most reports and received the highest total rewards in 2022.)
- We sincerely appreciate all of our friends who worked with us with the valuable findings. It was all thanks to your efforts that we were able to run this program and make our products and services more safe and secure to keep our customers from potential attacks.
- In order to collaborate better with our friends, we have continuously made efforts to listen to your voices. As a result, we have come to the conclusion that an update is required to work more closely with you and run a better Rewards Program.
And we are now
- And we are now understanding the needed updates what we learned your voices of worries and complaints.
- We cannot emphasize enough how much we appreciate all the researchers for working with us and we hope to get greater interest from more security experts, researchers and Galaxy users.
- We fully understand that it may have become harder and harder to find vulnerabilities with the products, as we are working effortlessly for additional security features while releasing security patches as quickly as possible and as often as possible to keep our customers safer.
- So some may be discouraged to submit findings with a concern that it may be an inefficient research due to potentially low rewards compared to the efforts.
- And we also understood your concerns regarding the transparency of criteria and unpredictable reward amounts.
- Good news!
- We are very excited to announce the largest update we have ever done since releasing our Rewards Program.
- In order to encourage more researchers and users to participate in Samsung Mobile Security Rewards program, we have set new goals. Below is some of our initiatives to the find the best win-win path forward for Samsung and our friends as part of improving our program.
As transparent as possible
- We have heard many voices stating difficulty in predicting the severity and reward amounts. So we are now sharing updates indicating clearer criteria of severity and factors used for rewards amount. And please also refer to the FAQ for most frequent inquiries and discussions.
Don’t let your efforts go in vain
- We have tried to find ways to offer higher rewards for reports with high impact reports and high quality reports. And now we want to introduce our new Program and Bonus Rewards which provide extra reward and maximum amount covered by our program.
- Please refer to the Good Report Bonus and Important Scenario Vulnerability Program.
AI Security
- We started a pilot rewards program for Samsung mobile AI Security.
- We hope to get your interest and active participation for Samsung Mobile AI Security. Since we are in early stage for this, working on setting up the policies for reports related to AI Security, your interests and researches will greatly help us to finalize our policies and standards.
- We want your continuous interest in Samsung Mobile Security Rewards Program. Stay tuned!
- We are preparing additional programs, announcements, and events within 2024.
- I would like to express my gratitude to my friends, our valuable security researchers.
- And I sincerely appreciate for the efforts of my team, PSIRT at Samsung Mobile Security.