Samsung will pay $1,000,000 for RCE in Galaxy Safe Vault

Samsung has launched a new bounty program for discovering bugs in its mobile devices. Rewards of up to $1,000,000 are available for submissions that present critical attack scenarios.

The new Important Scenario Vulnerability Program (ISVP) focuses on vulnerabilities related to arbitrary code execution, device unlocking, data extraction, installation of arbitrary apps, and device bypassing.

Highlighted payouts

Knox Vault is Samsung’s isolated secure environment for storing sensitive biometric information and cryptographic keys on mobile devices. Reports that achieve local arbitrary execution on Samsung devices receive $300,000, while remote code execution (RCE) is rewarded with a $1,000,000 bounty.

TEEGRIS OS is Samsung’s Trusted Execution Environment (TEE) operating system, which provides a secure environment, isolated from the main operating system, for executing sensitive code and processing critical data such as payment and authentication.

Local arbitrary code execution in TEEGRIS OS is associated with revenue of $200k, while RCE vulnerabilities bring revenue of $400k.

Local code execution on Rich OS, the main operating system on Samsung devices, fetches $150,000, while RCE on that system fetches a maximum of $300,000.

Unlocking a device with full extraction of user data costs $400,000, or half that amount if achieved after the first unlock.

Another notable payout is $100,000 for achieving remote installation of any app from an unofficial marketplace or attack server, or $60,000 if the app is installed from the Galaxy Store. Local arbitrary installs pay $50,000 and $30,000 respectively.

To be eligible to receive the rewards, bug reports must contain a built-in security flaw that will work without permissions on the latest security updates of flagship models such as the Galaxy S and Z series.

To claim maximum rewards, the exploit must be persistent and require 0-clicks, meaning it does not require any user interaction.

$830,000 paid in 2023

Today, Samsung also announced that it will pay 113 security researchers participating in the Mobile Security Rewards Program $827,925 in 2023 for their reports.

Since the program began in 2017, Samsung has paid out over $4.9 million in bug bounties, with the highest amount being $120,000. The record payout last year was $57,190.

The introduction of ISVP aims to break these records by providing a solid incentive to collect reports of more serious issues affecting Samsung devices.