August 7, 2024 at 09:23PM
Samsung has introduced a bug bounty program with rewards of up to $1 million for successfully compromising its Knox Vault system in its smartphones. Other targets include TEEGRIS and Rich Execution Environment, with rewards varying based on the level of compromise. In contrast, Microsoft has awarded researchers $16.6 million in bug bounties.
From the meeting notes, the key takeaways are:
1. Samsung has introduced a bug bounty program offering substantial rewards for researchers who can compromise the security features of their devices, particularly Knox Vault, TEEGRIS, Rich Execution Environment (REE) operating system, and other specific applications.
2. Samsung’s bug bounty rewards range from $100,000 to $1 million, depending on the type of compromise, method of attack (remote or local), and the level of access and data extraction achieved.
3. The bug bounty program has been running for several years, with a total payout of under $5 million so far and a top individual award of $57,190 in the previous year.
4. In contrast, Microsoft has a significantly larger bug bounty program, having paid out $16.6 million to 343 attackers from 55 countries in the 12 months ending July, with the highest reward being $200,000 to an individual.
5. While monetary rewards are a significant part of bug bounty programs, publicity and recognition for researchers’ businesses also play a key role, as evidenced by a study conducted two years after the launch of Microsoft’s bounty program.
6. The bug bounty programs are crucial for both Samsung and Microsoft to continually fortify their products and engage the external research community to protect their customers from security threats.
This summary provides an overview of the key details and implications discussed in the meeting notes.