Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie	Domain	Purpose
JSESSIONID	security.samsungmobile.com	to keep login session
lastActivityTime	security.samsungmobile.com	to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Samsung Mobile Security

Home>Security Post

Security Post

Announcement

Prev Next

ISVP Milestone & Update

Samsung Mobile Security 16 Mar 2026

We sincerely appreciate your continued interest and participation since the launch of the Important Scenario Vulnerability Program (ISVP) in August 2024. We are pleased to share key milestones as well as important policy updates regarding the ISVP.

Celebrating the First Eligible Report

We launched the ISVP to enhance the identification of high-impact vulnerabilities. However, due to the extensive eligibility requirements for ISVP, there had been no eligible reports until now.
Yichen Chai and Sacha Kozma from BugScale submitted successful exploits for vulnerabilities within SmartSwitch and Galaxy Store, which align closely with the objectives of operating the ISVP, and the vulnerabilities were successfully remediated in March 2026. We would like to take this opportunity to recognize the the first successful ISVP submission.
They successfully submitted reports demonstrating remote and local arbitrary installation, corresponding to the “Arbitrary Application Install” category of the ISVP. Thanks to their active collaboration in contributing to the patch process, all vulnerabilities have been resolved through the March Applications Update, and a total reward of $150,000 is currently being processed in accordance with the ISVP policy.
We appreciate BugScale’s great assistance and their participation in this exciting journey, and we look forward to more interest and participation from you to make ISVP activated.

Policy Updates

We have received requests from many researchers for clearer explanations of the eligibility scope, as well as consideration of expanding the program scope. We have carefully reviewed this feedback and completed our internal review. We are now updating the ISVP policy as follows.

New Scope: Beyond Samsung Mobile Components

One of the major concerns was that for some targets, it is difficult to specify the eligible scope of ISVP before submitting the report. Researchers invested significant effort in researching Galaxy devices and submitted eligible exploits to ISVP, but in cases where the issue is found to originated from the code developed by the chipset vendors, the reports are determined as ineligible for ISVP. Many researchers have expressed that this approach may be unfair and requires improvement.
It is difficult to include reports as eligible targets for our Rewards program, for vulnerabilities stemming from other companies’ implementation. Therefore, for both the Samsung Mobile Security Rewards Program and the Important Scenario Vulnerability Program, only vulnerabilities arising from Samsung Mobile’s implementation are considered eligible reports, while vulnerabilities related to other companies are determined ineligible.
After careful review, we have decided to expand the eligible scope of the ISVP program in line with its special purpose of proactively receiving and resolving important vulnerabilities. For the “Arbitrary code execution” category targeting Rich OS, we are expanding the scope to include ISVP reports that involve vulnerabilities stemming from other vendors’ implementation as eligible for partial rewards.
Here is the updated policy for eligible scope and rewards of Rich OS ACE.
- Exploits utilizing vulnerabilities found in Samsung Mobile code: Eligible (Full Reward)
- Exploits combining vulnerabilities in Samsung Mobile code and other vendor code: Eligible (Partial Reward)
- Exploits consisting solely of vulnerabilities in other vendor code without Samsung Mobile vulnerability: Not eligible (No Reward)
  - In cases where the exploit is consisted solely of vulnerabilities in Samsung DS: Eligible (Partial Reward)

Updated Targets and Rewards

Based on extensive analysis of reported vulnerabilities and ongoing security improvements, the targets and rewards for each category of ISVP have been updated.

Rich OS ACE

The maximum reward amount for Arbitrary Code Execution in Rich OS has been adjusted.
- Local : $150,000 → $100,000
- Remote : $300,000 → $200,000
Note: As explained above, exploits that include vendor vulnerabilities for this category can be considered eligible reports for partial rewards.

TEEGRIS ACE / BFU Data Extraction

The maximum reward amounts for the two categories have been adjusted as follows
- TEEGRIS OS - Remote ACE : $400,000 → $500,000
- Device Unlock - Full User Data Extraction from BFU : $400,000 → $500,000

Arbitrary Installation

- The existing “Remote” category has been divided into “Adjacent” and “Remote”, while the “Local” category is removed.
- Bonus reward are added for this category. If reports successfully demonstrate installation with obtaining System UID or granting dangerous or higher-level permissions, they will receive an extra bonus.

Bypass of Device Protection Solution

Due to the stable operation of the Auto Blocker, the relevant item has been decided to be removed from ISVP.

For more detailed information on the updates, please refer to the newly added ISVP page on our website.

Recently Post

Announcement
Annual Report in 2025

16 Mar 2026
Announcement
ISVP Milestone & Update

16 Mar 2026
Announcement
Annual Report in 2024

04 Jun 2025
Announcement
Update to Our PGP Key for Email Reports and Communications

04 Jun 2025
Announcement
Annual Report in 2023 and New Announcements

06 Aug 2024

Notice: Delayed Responses During the Lunar New Year's Holiday
February 14th (Saturday) - February 22nd (Sunday)