Go straight to the menu Go straight to the text

Security Reporting

If you have identified a potential security vulnerability in any Samsung Mobile product or software,
please report it here

Please carefully read the reporting guidelines and Samsung’s security risk classification criteria below prior to reporting.

We encourage the reporting party to place the users’ interest first and follow the philosophy of Responsible Disclosure, which involves privately notifying us of any security vulnerabilities before disclosing them fully to allow us to resolve the vulnerabilities and minimize overall risk to users.
Reporting Guidelines
  • When reporting the security vulnerability you have identified, you need to create a user account of Samsung Account if you don't have an existing account.
    And the following information is required:
    • Name and Contact e-mail
    • Firmware Version of Affected Products
    • Vulnerability Type and Category
    • Country of Residence
    • Description of potential vulnerability
    • Disclosure plans, if any
  • Please note that this page is for reporting security vulnerabilities of Samsung Mobile products. If the identified potential vulnerability applies to other Samsung products, please visit here.
Responsible Disclosure Policy
  • At Samsung, we take security and privacy issues very seriously, and we value the security research community with our commitment to address potential security vulnerabilities as quickly as possible. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our end-consumers.
  • We ask our security research community to:
    • Make every effort to avoid privacy violations, degradation of user experience, disruption to internal or external servers, and destruction of data or physical assets during security testing;
    • Use reporting guidelines stated above to report details of potential vulnerabilities as complete as possible; and
    • Keep information about any potential vulnerability discovered confidential between yourself and Samsung until we have remedy in place.
  • In return, we commit to:
    • Respond within a maximum of 48 hours upon receiving the initial report;
    • Work with you to understand and resolve the potential vulnerability quickly;
    • Make our best effort to resolve security vulnerabilities, and release patches to end-consumers within 90 days; and
    • Reward you, if you choose to participate in our Samsung Mobile Security Rewards Program, and recognize your contribution through our Acknowledgements for eligible reports.
Samsung Mobile Security Risk Classification

The following table includes our security risk classification criteria as a standard guidance. Each security vulnerability reported will be assigned a risk rating based on this table. Please note that this table may be updated without advanced notice.

Samsung Mobile Security Risk Classification
Classification Description / Classification Criteria
Critical
  • Arbitrary code execution in the TEE
  • Remote arbitrary code execution in a privileged process or the TCB
  • Remote permanent denial of service (device inoperability; completely permanent or requiring re-flashing the entire operating system)
  • Remote bypass of user interaction requirements on package installation or equivalent behavior
  • Secure Boot bypass
  • Unauthorized access to hardware-protected key
High
  • Remote arbitrary code execution in an unprivileged process
  • Local arbitrary code execution in a privileged process or the TCB
  • Unauthorized access to data secured by the TEE
  • Remote access to protected data (data normally accessible only to locally installed apps that request permission, or that is limited to a privileged process)
  • Local permanent denial of service (device inoperability: completely permanent or requiring re-flashing the entire operating system)
  • Remote temporary device denial of service (remote hang or reboot)
  • Remote bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission)
  • Local bypass of user interaction requirements for any developer or security settings modifications
  • A general bypass for operating system protections that isolate application data from other applications
  • A general bypass for operating system protections that isolate users or profiles from one another
  • Unauthorized access to sensitive personal information (i.e., Personally Identifiable Information, or PII) protected by cryptographic controls
  • Lockscreen bypass
  • Bypass of Carrier Restrictions or unauthorized network unlock
Moderate
  • Remote arbitrary code execution in a constrained process
  • Local arbitrary code execution in an unprivileged process
  • A general bypass for a defense in depth or exploit mitigation technology in a privileged process, the TCB, or the TEE
  • Bypass of restrictions on a constrained process
  • Bypass of Device Protection/ Factory Reset Protection
  • Remote access to unprotected data (data normally accessible to any locally installed app)
  • Local access to protected data (data normally accessible only to locally installed apps that request permission, or that is limited to a privileged process)
  • Local bypass of user interaction requirements without user awareness (access to functionality that would normally require either user initiation or user permission)
  • Local permanent denial of service (device requires a factory reset)
  • Unauthorized access to non-personally identifiable information (i.e., non-PII) protected by cryptographic controls
  • Unauthorized access to software-protected key
  • Targeted prevention of access to emergency services
Low
  • A general bypass for a user level defense in depth or exploit mitigation technology in an unprivileged process
  • Local arbitrary code execution in a constrained process
  • Misuse of cryptographic function or algorithm
  • Local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission)
No Security Impact
  • Non-exploitable vulnerability or a vulnerability with lower impact than Low that can be mitigated by one or more existing controls (e.g., local temporary denial of service)

- Last updated: August 10, 2017