Samsung announced on Tuesday that it has paid out nearly $5 million through its bug bounty program since its launch in 2017, including $828,000 in 2023.
In 2023, 113 researchers got paid for responsibly disclosing vulnerabilities in Galaxy mobile devices. The highest single reward exceeded $57,000 and it went to TASZK Security Labs.
“Their impressive research helped secure our products against potential remote attacks,” Samsung said. “Although Exynos Baseband related reports became out of scope with our program and [TASZK Security Labs] reports involved chains with baseband, resulting in a reduction of the overall reward, it was still TASZK Security Labs who received the highest total payout in 2023.”
The company on Tuesday also announced bonus rewards for high-quality vulnerability reports, and informed bug bounty hunters that the maximum reward has been increased to $1 million.
The top amount can be earned for a remote code execution exploit targeting the Knox Vault hardware security system. A local code execution exploit targeting Knox Vault can earn researchers up to $300,000.
An exploit involving device unlocking with full user data extraction is worth up to $400,000, and finding a way to install arbitrary applications from outside the Galaxy Store can earn bug bounty hunters $100,000.
These high rewards can be earned as part of Samsung’s Important Scenario Vulnerability Program. In order to qualify, reporting researchers have to submit a quality report with a practical exploit that can be executed without privileges on up-to-date Galaxy S or Z series mobile devices.
Microsoft announced this week that it has paid out roughly $16.6 million through its bug bounty programs over the past year, which brings the total awarded since 2018 to $75.5 million.
Related: Netflix Paid Out Over $1 Million via Bug Bounty Program
Related: Google Offering $250,000 for Full VM Escape in New KVM Bug Bounty Program
Related: Adobe Adds Content Credentials and Firefly to Bug Bounty Program