Security Post
Announcement
Annual Report in 2024
Jasper Park, Lead of Samsung Project Infinity at Samsung Mobile Security
04 Jun 2025
- We are pleased to announce the release of the 2024 Annual Report for Samsung Mobile Security Rewards Program, following last year's publication.
- This report highlights the program's continued growth and progress, sharing our achievements with our valued community. While the 2023 Annual Report was released later than anticipated, we aimed to prepare this year's report earlier. However, we apologize for its delayed release and we will strive to deliver the report even earlier next year.
- We sincerely appreciate security researchers and communities, our cherished friends. Your support and feedback are the most crucial driving forces behind the program's continuous development. In 2024, thanks to your valuable contributions, we were able to make our products and services even safer.
- As a result, the program's total annual rewards exceeded $1 million for the first time in its history. While we still have a long way to go, this reflects our commitment to continuous improvement and growth.
- We look forward to continuing this journey together and encourage our friends to keep sharing your insights and expertise. Your contributions are invaluable, and we are grateful for your collaboration.
- Our goal for 2025 is to double the number of high-impact reports and further enhance our collaboration with the community.
Review of 2024
- Since launching our Rewards Program in 2017, we have paid out over $6,000,000 rewards to date.
- In 2024, we awarded $1,029,380 in total to 105 researchers, marking the program's first annual reward of $1 million.
- We are deeply grateful for your contributions.
-
- A total of $1,029,380 was awarded to 105 researchers.
- Yifei Xie holds the record for the highest cumulative reward.
- hackpotato received the highest single report reward.
- Last August, we introduced the ISVP and Bonus Reward programs, offering various rewards for different targets, including a maximum reward of $1M, along with additional bonuses. (For those who may still be unaware, please refer to the links for ISVP and Bonus Rewards.)
- However, many of highly awarded reports, including the top rewards, were submitted before the launch of Bonus Reward and ISVP, resulting in additional bonuses not being awarded. Additionally, after launching these new programs, although we have received various reports targeting ISVP, no reports have yet met the ISVP criteria to claim the reward.
- We are prepared to offer higher rewards for critical scenarios with high-impact vulnerabilities. We kindly ask for more attention and participation and hope to have the opportunity to offer ISVP rewards before the end of this year.
We recognize that,
- we still have progress to make and are committed to refining our approach through continuous learning and improvement.
- Last month, with the release of the Hall of Fame, we received feedback from friends who provided significant help to our program last year. We acknowledged the need for improvements in various areas, so after having many discussions, we are conducting internal reviews.
- Here are a few examples:
-
- There was feedback regarding the unclear explanation and operational approach for ISVP and Good Report Bonus.
- We are preparing updates that include clearer and more intuitive guidance.
- Suggestions were provided about improving the transparency of duplicate report.
- For reports identified as 'Duplicated' (if the vulnerability has already been reported or is preparing patch after being found internally), we are preparing to provide additional explanations or (when possible) references during the process.
- There was a request to share the patch schedule in advance.
- We are reviewing options to share confirmed patch schedules with reporters ahead of the public Security Update disclosure.
- There was feedback regarding the unclear explanation and operational approach for ISVP and Good Report Bonus.
- Through your diverse advices, we are filling the gaps by reflecting on aspects we had not considered before, and we believe that through close collaboration, we can create a safer product ecosystem.
- We always welcome suggestions for improvement.
We are planning to,
- encourage reports on high-impact vulnerabilities.
- In 2024, the proportion of high-impact vulnerabilities, including remote code execution vulnerabilities, has been gradually increasing. By increasing the number of high-impact reports, we could proactively prevent serious impact on products, and offer more rewards to our friends. So, we also aim to strengthen rewards for higher-severity vulnerabilities.
- We continuously explore ways to encourage more research including activating the ISVP and enhancing rewards for high-impact reports. We will share additional updates on this matter as well.
- Based on diverse feedback and internal discussions, we will operate the program in a way that fosters greater trust and comfort for our friends to share their findings. If you have any good suggestions and feedback to help us fill in the gaps, please feel free to share them with us via mobile.security@samsung.com or through our website.
- Once again, I would like to express my heart felt gratitude to my friends, our valuable security researchers. And I sincerely appreciate for the efforts of my team, Samsung Project Infinity at Samsung Mobile Security.
- 감사합니다!