Samsung Adopts Bugcrowd to Manage Mobile Security Rewards Program
29.11.2017 securityweek Mobil
Samsung Adopts Bugcrowd, Offering up to $200,000 Per Vulnerability Through Mobile Security Rewards Program
Bug bounties are cost-efficient partial solutions to the security skills gap. In 2015, Dice reported that that a Lead Software Security Engineer could cost more than $200,000 per year in salary, while an application security manager would cost more than another $150,000.
Employing an in-house team to continuously probe products, software, firmware and all updates for security bugs rapidly becomes an expensive exercise, with -- frankly -- no guarantee of success. Failure to find and fix security bugs and vulnerabilities before they are exploited by criminals, however, could rapidly become even more costly.
Bug bounties help to solve this problem by tapping into the largest available market of top-class security expertise -- the white hat hacker community -- and paying only on results. Adequate bounties further encourage white hat hackers to conform to a responsible disclosure ethos for all discovered vulnerabilities, provided they are confident that the vendor will uphold his part of the bargain. Third-party bounty program operators take the idea further by running the bounty scheme on the vendors' behalf, lowering administrative cost and hassle.
The 2017 Bugcrowd State of Bug Bounty Report (PDF) "highlights not only the continued growth of the bug bounty model, but also the enterprise's adoption of it, with three times more enterprise bug bounty programs launched in the past year than the previous three years combined."
Now Bugcrowd affirms this statement with the announcement that from today it will manage payment processing for the Samsung Electronics' Mobile Security Rewards Program that was launched in September 2017. "By adopting a bug bounty program covering all mobile products, Samsung is not only accessing the most powerful set of resources available, but also demonstrating [its] commitment to security. We are proud to work with such a security-centric organization to help minimize the risk to the millions of consumers using Samsung mobile devices."
Bugcrowd currently operates the rewards programs of more than 70 different companies (not all of which offer a financial bounty) including security firms BitDefender, Centrify, NETGEAR, 1Password, Okta, Cylance, LastPass. Corporate partners include MasterClass, Fiat Chrysler, Tesla and Western Union. The Samsung Electronics' Mobile Security program rewards security researchers up to $200,000 per vulnerability, depending on its severity.
Researchers are expected to keep details of any vulnerability confidential until a remedy is in place, but Samsung will provide an initial response within 48 hours 'make out best effort' to release a patch within 90 days.
"Our Mobile Security Rewards Program is yet another initiative being undertaken by Samsung to further this commitment," said Henry Lee, Senior VP of Mobile Security Technologies Group, Mobile Communications business at Samsung Electronics. "Bugcrowd helps fortify partnership with the security research community by ensuring the community receives payouts in a timely manner."