Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Samsung Adopts Bugcrowd to Manage Mobile Security Rewards Program

Samsung Adopts Bugcrowd, Offering up to $200,000 Per Vulnerability Through Mobile Security Rewards Program 

Samsung Adopts Bugcrowd, Offering up to $200,000 Per Vulnerability Through Mobile Security Rewards Program 

Bug bounties are cost-efficient partial solutions to the security skills gap. In 2015, Dice reported that that a Lead Software Security Engineer could cost more than $200,000 per year in salary, while an application security manager would cost more than another $150,000. 

Employing an in-house team to continuously probe products, software, firmware and all updates for security bugs rapidly becomes an expensive exercise, with — frankly — no guarantee of success. Failure to find and fix security bugs and vulnerabilities before they are exploited by criminals, however, could rapidly become even more costly.

Bug bounties help to solve this problem by tapping into the largest available market of top-class security expertise — the white hat hacker community — and paying only on results. Adequate bounties further encourage white hat hackers to conform to a responsible disclosure ethos for all discovered vulnerabilities, provided they are confident that the vendor will uphold his part of the bargain. Third-party bounty program operators take the idea further by running the bounty scheme on the vendors’ behalf, lowering administrative cost and hassle.

The 2017 Bugcrowd State of Bug Bounty Report (PDF) “highlights not only the continued growth of the bug bounty model, but also the enterprise’s adoption of it, with three times more enterprise bug bounty programs launched in the past year than the previous three years combined.”

Now Bugcrowd affirms this statement with the announcement that from today it will manage payment processing for the Samsung Electronics’ Mobile Security Rewards Program that was launched in September 2017. “By adopting a bug bounty program covering all mobile products, Samsung is not only accessing the most powerful set of resources available, but also demonstrating [its] commitment to security. We are proud to work with such a security-centric organization to help minimize the risk to the millions of consumers using Samsung mobile devices.”

Bugcrowd currently operates the rewards programs of more than 70 different companies (not all of which offer a financial bounty) including security firms BitDefender, Centrify, NETGEAR, 1Password, Okta, Cylance, LastPass. Corporate partners include MasterClass, Fiat Chrysler, Tesla and Western Union. The Samsung Electronics’ Mobile Security program rewards security researchers up to $200,000 per vulnerability, depending on its severity. 

Researchers are expected to keep details of any vulnerability confidential until a remedy is in place, but Samsung will provide an initial response within 48 hours and ‘make our best effort’ to release a patch within 90 days.

“Our Mobile Security Rewards Program is yet another initiative being undertaken by Samsung to further this commitment,” said Henry Lee, Senior VP of Mobile Security Technologies Group, Mobile Communications business at Samsung Electronics. “Bugcrowd helps fortify partnership with the security research community by ensuring the community receives payouts in a timely manner.”

Related: Bitdefender Offers Up to $1,500 in Public Bug Bounty Program 

Related: Google Paid Out $9 Million in Bug Bounties Since 2010 

Related: Disclosure – A Case for Bug Bounties

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet