Samsung takes your security very seriously. Yes, I know, we’ve all heard this before, and it usually comes after a break-in or hack of some sort. This time, however, Samsung wants to be hacked, and is offering a tantalizing $1 million reward to anyone up to the task. Ah, yes, the task: break into the super-secure Knox Vault hardware built into your Samsung Galaxy S and Z smartphones in zero clicks (that is, with no user interaction), and remotely steal the login credentials and other secure data stored inside.
The $1 million update to the Samsung Mobile Vulnerability Program
Samsung has presented its Galaxy smartphones to hackers to test how good the security really is. You may recall that in 2023, hackers successfully hacked the Galaxy S23 no less than four times in the Pwn2Own competition, using zero-day exploits. The successful bug bounty hackers at the time went home with a not-too-shabby $125,000. However, that’s insignificant compared to the new $1 million bounty that Samsung announced as an update to its Important Scenario Vulnerability Program.
Since the rewards program was launched about six years ago, it has paid out about $5 million in rewards. In 2023, the program paid a total of $827,925 to 113 researchers, with the highest amount for a single vulnerability report being $57,190, according to Jasper Park, head of the product security incident reporting team at Samsung Mobile Security.
The August 6 bug bounty update refers to those vulnerabilities that “demonstrate critical attack scenarios with significant impact on our products,” Samsung said. There are rewards of up to $1 million for successful hackers who can find arbitrary code execution on highly privileged targets, unlocking devices, fully extracting user data from a device, arbitrary application installations, or bypassing device protection mechanisms. To be considered for the big bucks, a successful security researcher must submit a report demonstrating remote, zero-click arbitrary code execution against the Knox Vault.
In addition, the report must meet the following criteria:
- The report must fully meet the Samsung ISVP Good Reporting Bonus Conditions.
- The report must contain a buildable exploit to prove that the attack is successful in one or more of the defined scenarios.
- The exploit must work reliably on the Galaxy S and Z series flagship devices with the latest security update.
- The exploit must be executed without required privileges.
- Hackers must also prove that they have accessed credentials stored in Knox Vault.
Here’s how you can join the hunt for the $1 million bug
To be eligible for a reward, you must submit your vulnerability report to Samsung through the official ticket system. Reports can be submitted via email, but do not qualify for a reward payment.
A Samsung account is required to submit your ticket and you will be connected directly to a dedicated security analyst regarding the vulnerability found and the status of the exploit code provided.
“We cannot stress enough how grateful we are to all researchers for collaborating with us,” Park said, “and we hope that even more security experts, researchers and Galaxy users will show interest.”