Samsung Adopts Bugcrowd, Offering up to $200,000 Per Vulnerability Through Mobile Security Rewards Program
Bug bounties are cost-efficient partial solutions to the security skills gap. In 2015, Dice reported that that a Lead Software Security Engineer could cost more than $200,000 per year in salary, while an application security manager would cost more than another $150,000.
Employing an in-house team to continuously probe products, software, firmware and all updates for security bugs rapidly becomes an expensive exercise, with — frankly — no guarantee of success. Failure to find and fix security bugs and vulnerabilities before they are exploited by criminals, however, could rapidly become even more costly.
Bug bounties help to solve this problem by tapping into the largest available market of top-class security expertise — the white hat hacker community — and paying only on results. Adequate bounties further encourage white hat hackers to conform to a responsible disclosure ethos for all discovered vulnerabilities, provided they are confident that the vendor will uphold his part of the bargain. Third-party bounty program operators take the idea further by running the bounty scheme on the vendors’ behalf, lowering administrative cost and hassle.
The 2017 Bugcrowd State of Bug Bounty Report (PDF) “highlights not only the continued growth of the bug bounty model, but also the enterprise’s adoption of it, with three times more enterprise bug bounty programs launched in the past year than the previous three years combined.”
Now Bugcrowd affirms this statement with the announcement that from today it will manage payment processing for the Samsung Electronics’ Mobile Security Rewards Program that was launched in September 2017. “By adopting a bug bounty program covering all mobile products, Samsung is not only accessing the most powerful set of resources available, but also demonstrating [its] commitment to security. We are proud to work with such a security-centric organization to help minimize the risk to the millions of consumers using Samsung mobile devices.”
Bugcrowd currently operates the rewards programs of more than 70 different companies (not all of which offer a financial bounty) including security firms BitDefender, Centrify, NETGEAR, 1Password, Okta, Cylance, LastPass. Corporate partners include MasterClass, Fiat Chrysler, Tesla and Western Union. The Samsung Electronics’ Mobile Security program rewards security researchers up to $200,000 per vulnerability, depending on its severity.
Researchers are expected to keep details of any vulnerability confidential until a remedy is in place, but Samsung will provide an initial response within 48 hours and ‘make our best effort’ to release a patch within 90 days.
“Our Mobile Security Rewards Program is yet another initiative being undertaken by Samsung to further this commitment,” said Henry Lee, Senior VP of Mobile Security Technologies Group, Mobile Communications business at Samsung Electronics. “Bugcrowd helps fortify partnership with the security research community by ensuring the community receives payouts in a timely manner.”
Related: Bitdefender Offers Up to $1,500 in Public Bug Bounty Program
Related: Google Paid Out $9 Million in Bug Bounties Since 2010
Related: Disclosure – A Case for Bug Bounties
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
