Samsung boosts bug bug bounty to a cool million for cracks of the Knox Vault subsystem
Samsung has dangled its first $1 million bug bounty for anyone who successfully compromises Knox Vault – the isolated subsystem the Korean giant bakes into its smartphones to store info like credentials and run authentication routines.
Samsung’s not made it easy to become a bug-blasting millionaire. Scoring the cash requires demonstrating use of a zero-click method – no user interaction required – to crack a Galaxy S or Z handset as an unprivileged user and come away with credentials.
As Knox Vault has its own processor and storage – both isolated from the handset’s main processor and therefore resistant to attacks that exploit shared resources – the challenge facing crackers is substantial.
Achieving the same result with local access will only yield up to $300,000 under the new terms of Samsung’s Important Scenario Vulnerability Program.
Another big money target is Samsung’s TEEGRIS – a trusted execution environment present in some devices that use the Korean giant’s own Exynos SOCs. Demonstrating a successful compromise will bring in $400,000 if done remotely while a local crack will score $200,000. But be warned: simply subverting a Trustlets app in the software doesn’t count – you need to defeat the operating system directly.
For those who fancy attacking Samsung’s Rich Execution Environment (REE) operating system, the rewards are less lucrative: $150,000 for a local attack and double that for a remote one – but again with caveats. Any payout will vary depending on the degree of privilege escalation attackers can achieve, and the efficacy of the code they can run.
Folks who can unlock a Samsung device and plunder user data before the handset is first unlocked will net up to $400,000 – although that is dependent on the amount of information that can be snaffled. If an attacker can defeat Samsung’s Auto Blocker anti-malware engine then there’s another $100,000 on offer, but you’ll need to establish a persistent presence on the device to get the full payout.
Other apps are also included in the payout program. Managing to install an app from a third-party app store remotely is worth $100,000, or half that if done locally. This falls to $60,000 and $30,000 for apps already in Samsung’s Galaxy Store, for remote and local hacks respectively.
“After running the program for several years, the biggest lesson learned is that researchers are my dear and grateful friends who take their time to look at our products from various perspectives and help make them secure and safe,” wrote Jasper Park, lead at Samsung Mobile Security’s Product Security Incident Response Team. “I sincerely appreciate your help.”
While the big money bounties are tempting, Samsung’s record suggests they are proportionate to difficulty. In the seven years since Samsung started its program the biz has paid out under $5 million – and the top individual award from last year was just $57,190. In 2023 Samsung coughed up $827,925 to 113 people for their bug-finding efforts.
For real cash, pick on Redmond
By contrast, Microsoft has splashed seriously big bucks for bugs – 343 attackers from 55 countries took home $16.6 million in the 12 months ending July this year. Redmond’s biggest reward was $200,000 to an unnamed individual.
Microsoft resisted the idea of bug bounties for years, but was finally persuaded to try them after a three-year campaign by Katie Moussouris – then Redmond’s senior security strategist and now CEO of Luta Security. The bounty program was launched at the Black Hat 2013 security conference, with a top prize of $100,000 and a free laptop – unfortunately running Windows 8.1, but you can’t have everything.
In a subsequent study, Moussouris found some good news for Samsung: money is not necessarily the prime motivating factor for some security researchers. Two years after Microsoft started its bounty program, she conducted research showing that, in some cases, the publicity for flaw finders’ businesses was more important than hard cash.
But the money is always nice, and it’s a cheap program for Redmond to run – costing around two hours of net income for the software slinger based on its 2024 accounts.
“The Microsoft Bounty Program is crucial to our proactive strategy of incentivized research programs to engage the external research community to partner and protect our customers from security threats,” commented Madeline Eckert, senior program manager of researcher incentives at Microsoft.
“These programs encourage researchers to surface vulnerabilities in high-priority attack surfaces, allowing Microsoft to fortify our products in a continuously changing security landscape.” ®
READ MORE HERE