Skip to content

Semiconductor Product Security

Security Reporting

Report by email

dsprodsec@samsung.com

PGP Key
Fingerprint : 9720 BF88 D5C9 A20D A969 B415 FD9D 5107 8E46 4A5A
If you have identified security issues that meet the Eligibility Criteria within our product, we kindly request that you report them via email. Please fill in the required information below, encrypt it using our PGP Key (Fingerprint: 9720 BF88 D5C9 A20D A969 B415 FD9D 5107 8E46 4A5A), and proceed to submit your report. We appreciate your understanding and cooperation.

Required Information

Submit a report via email to dsprodsec@samsung.com with the items below, along with the PoC attachment.
Title
Firmware Version
Vulnerability Type (e.g. Buffer overflow, or Integer overflow, or Race condition, or Null pointer dereference, or, )
Discoverer
Country of Residence
Bounty Y/N
Disclosure plans, if any We have a diverse range of clients with various products, so patching may take 180 days or even longer. Therefore, even if the targeted disclosure plan has a lead time of over 90 days, please specify the date or the name of the conference.
Description
The following items must be included.
  • Description of potential vulnerability as detailed as possible
  • Steps to reproduce the issue
  • Impact caused by PoC
  • Expected correct behavior or workaround
  • Please provide information on whether this vulnerability has been reported to any external or third-party entities.
Non-disclosure By submitting this report, I hereby agree to hold in strict confidence all information related to the alleged vulnerability contained in this report. I also agree that, once this report is submitted, I may not disclose the existence of this report or the nature of the alleged vulnerabilities identified in this report to any third party or to the public without first obtaining express written consent of Samsung Electronics to do so.
In the report, a statement of non-disclosure must be included when submitting it.
The severity of reported security vulnerabilities is assessed using CVSS based on the provided POC, and claims not proven by the PoC will not be accepted.

Rewards Program

Please carefully read the information on the Samsung Semiconductor Product Security Site (hereinafter Site) before submitting your report. By submitting your report, you will be deemed to have agreed to all terms and conditions on this Site, including all terms stated below.

Eligibility Criteria

Scope
Our vulnerability reward program scope includes:
  • Security vulnerabilities in the following components in Device Solutions of Samsung Electronics: Samsung Exynos Application Processor, Communication Processor, SIM, NFC, Secure Element, DRAM, SSD, Memory Card, Magician Software
  • Hardware
    All products that haven't reached EOS (End Of Service) yet as of the date of report
  • Software
    All software authored by Samsung Electronics Device Solutions, which is embedded in the latest publicly available hardware within the scope above
We will not reward:
  • Non-security related bugs.
  • In case of non-agreement with the Non-disclosure statement
  • General Denial of Service ("DoS") issues triggered by a local access vector; provided that certain DoS issues satisfying specific conditions may qualify for a reward (See Eligibility Requirements section below for details)
  • Vulnerabilities occurring on the Samsung DS websites
  • Micro-architectural side-channel attacks
  • In cases where the reported vulnerability does not provide any benefit to the attacker, such as when the vulnerability only allows deleting files or rebooting the system with root privileges
  • Communication availability issues arising from the use of a fake base station
Eligibility Requirements
  • Issues must not already be known by Samsung (e.g., not already public, not already found by us during a pen test, not already reported by another user, etc.)
    Only the first report of vulnerability will be considered for a reward.
  • The issue of software must occur on the latest publicly available version of Hardware defined in the scope.
  • Security reports are required to provide clear Proof of Concepts ("PoCs"). Without PoCs, its reward and Common Vulnerabilities and Exposures ID ("CVE ID") registration would not be guaranteed.
  • Regardless of whether you are eligible for a reward under our vulnerability reward program or the issues you reported are deemed vulnerabilities by Samsung Electronics, all information related to the vulnerability, once submitted, must not be disclosed to the public until it is first publicly disclosed by Samsung Electronics or you have first obtained Samsung Electronics’ express written approval to do so.
  • Only individuals are considered for the qualification of reward.
  • Customers, partners, contractors of or anyone with business/contractual relationships with Samsung Electronics are not eligible for rewards.
  • Employees of Samsung Electronics and its affiliates are not eligible for rewards.
  • DoS issues triggered by a local access vector would be considered eligible vulnerabilities only if security impact is proved by PoC or its damaged availability lasts even after system-rebooting.

Reward

The reward will be provided based on the type and severity of security issues within the scope described above and the comprehensiveness of the report. Rewards are provided at the sole discretion of Samsung Electronics.

Additional Terms and Conditions

  • You must not damage, disrupt or otherwise interfere with the property or data of Samsung Electronics or any other parties.
  • You must comply with all applicable laws, including local laws of the country of your residence or the location where you purchase or access Samsung Electronics devices or services.
  • Your participation in our vulnerability reward program must be in good faith, and any related action should only be performed strictly for the purposes of reporting an issue within the scope of the vulnerability reward program. Any attempt to copy, decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, techniques or algorithms in Samsung Electronics' hardware, software or services for any other purpose is not permitted.
  • Reward payments may not be provided if you are an individual, entity or in any country subject to an embargo, sanction or other restriction by an applicable governmental entity.
  • You are responsible for all applicable tax liability with respect to the reward payment.
  • Samsung Electronics, at its sole discretion, may reject any submission that it determines does not comply with our terms and conditions.
  • The terms and conditions of the vulnerability reward program, including the scope and eligibility requirements, are subject to change at any time at Samsung Electronics' sole discretion.
  • We have various customers and products, each with diverse security update policies. Therefore, a longer period may be needed to disclose vulnerabilities for certain products, and the information disclosed may be limited.

Security Bulletins

This Security Bulletin provides details on security updates for Samsung Device Solution customers to enhance our product security. The link below addresses the Common Vulnerabilities, Exposures (CVE) IDs of the vulnerabilities and the affected products.

View

Please contact the OEM to confirm if patches have been applied to the final end-user product.