Bug Bounty Program

Samsung Bug Bounty for Smart TV, Audio and Displays

(as well as their or any various integrated services such as Bixby)

Samsung welcomes you to the Samsung Bug Bounty Program.
We are pleased to offer a monetary bounty for certain qualifying security bugs.

Every participant has to log a security bug in the Samsung Smart TV, Audio and Displays
which thereafter will be validated and evaluated by our security experts.
Eligibility Criteria
Scope of the Program
  • Our Bug Bounty reward program scope includes:
    • Hardware / Software vulnerabilities on Samsung Smart TV, Audio and Displays:
      • Models from years 2020 to 2024.
    • Vulnerabilities on Samsung Smart TV, Audio and Displays software:
      • Samsung Smart TV, Audio and Displays apps released by Samsung Electronics Co., Ltd..
      • Vulnerabilities on Samsung Smart TV, Audio and Displays web infrastructures that directly support the operation of Samsung Smart TV, Audio and Displays.
    • Note: we do not publish the list of web infrastructures that directly support the operation of Samsung Smart TV, Audio and Displays.
  • We will not reward:
    • Non-security related bugs.
    • Vulnerabilities on any system / device / app / website not mentioned above.
    • Vulnerabilities on websites providing commercial, informational or support related contents (even if related to Smart TV, Audio and Displays).
    • Vulnerabilities that have little or no impact (e.g. XSS that cannot lead to any exploit on a minor website).
    • Security bugs in third-party applications.
    • Security bugs in third-party websites integrated with Samsung.
    • Bugs that are already reported by other participant, or aware by internal reviews.
    • Theoretical vulnerabilities without proof of concept.
    • Denial-of-Service (DoS) attack on website.
    • Bugs affecting only oneself.
    • Clickjacking (Only clickjacking for logged in or authenticated sessions is allowed).
Code of Conduct
  • Ethical Testing
      Your activities during vulnerability research should not threaten or impact the business, services or users of Samsung and our partners.
      By impact we mean affecting confidentiality, integrity or availability of devices, infrastructure and services.
      Please refrain from:
    • Accessing 3rd party accounts or data (please use test accounts).
    • Attempting denial of service attacks.
    • Using Spam, Phishing or other social engineering techniques.
  • More generally, please do not attempt any unethical or illegal activity during testing.
    We will not pursue legal action against security researchers who conduct testing in an ethical manner as specified above.
Rewards
Eligibility
  • Eligibility Requirements for a reward:
    • Issue must not already be known by Samsung (e.g. not already public, not already found by us during a pen test, not already reported by another user...).
    • Issue must have a significant impact.
Hall Of Fame
  • Participants who contributed in identifying security issues in the above defined scope will be mentioned on our Hall of Fame page.
    • Note: we do not give paper certificates, letters of recommendation, etc.
Monetary Reward
  • We will reward qualifying bugs depending on the maximum severity of the vulnerability and the priority of the target impacted.
  • We will provide higher reward scores for:
    • Reports on vulnerabilities regarding any Smart TV, Audio and Displays security solution. (e.g remotely compromise verified boot, kernel).
    • Reports on vulnerabilities with detailed and specific information (e.g., proof of concept & source code, test case, patches).
Non-Monetary Rewards
  • You hereby acknowledge that the final decision to provide the reward and the amount of the reward is at Samsung’s sole and complete discretion.
    • Note: we do not provide rewards in the form of Samsung devices, swag, goodies, etc.
Turnaround Time
  • We will make commercially reasonable efforts to meet the following turnaround time :
    • Time to issue an initial response (from date of report submission) - 1 business day
    • Time to issue a triage (from date of report submission) - 10 business days