Submission of Vulnerability Report via Security Reporting Page of the ticketing system (Samsung Account required)
When we receive a report via Security Reporting in the ticketing system, the automatic reply email will be sent. If you don’t receive any response email, please check if the report is correctly registered and make sure email from firstname.lastname@example.org is not flagged as junk email.
Internal Evaluation of Report and Severity Level based on Security Impact and Proof-of-Concept
When a security analyst is assigned for the issue, the automatic reply email will be sent. Next, the analyst will start analyzing the issue and keep communicating with you to confirm the issue if necessary.
Development of Relevant Security Patch and final decision of Severity Level
When the analyst completes analysis, the Samsung’s internal security team will decide severity from the analysis result on the basis of Samsung Mobile Security Risk Classification as well as internal criteria, and let you know it by email.
Also, the analyst will start working with the respective development team to prepare patches.
Make vulnerabilities public through posting them on this site and assign CVE IDs
Right after the patches start releasing, we publicly release the vulnerability information and acknowledge your contribution for helping us improve the security of Samsung devices and services. And we publish the CVE ID for the issue as necessary.
If qualified, Rewards are paid through Bugcrowd (via payment processing)
If the report is eligible for reward, we start the rewards process. To start this process, we notify you of rewards amount and request required information for payment processing. (You will be asked to provide your full name, country of residence and address, postal code, and phone number for rewards purpose.) And the information will be sent to Samsung’s designated partner Bugcrowd who will then contact you to confirm the pay-out rewards and payment method.
Rewards payout is complete or the Report is Closed as [Duplicate/ No Security Impact/ Working as Intended/ AOSP / No information provided]
When the process is completed, we will notify the you of closing the process.