Skip to content

Semiconductor Product Security

Security Reporting

Report by email

Required Information

Submit a report via email to with the items below, along with the PoC attachment.
Firmware Version
Vulnerability Type (e.g. Buffer overflow, or Integer overflow, or Race condition, or Null pointer dereference, or, )
Country of Residence
Bounty Y/N
Disclosure plans, if any
The following items must be included.
  • Description of potential vulnerability as detailed as possible
  • Steps to reproduce the issue
  • Impact caused by PoC
  • Expected correct behavior or workaround
  • Please provide information on whether this vulnerability has been reported to any external or third-party entities.
The Common Vulnerability Scoring System (CVSS) score is judged based on the PoC, and claims not proven by the PoC will not be accepted.

Rewards Program

Eligibility Criteria

Our Bug Bounty reward program scope includes:
  • Security vulnerabilities in the following components in Device Solutions of Samsung Electronics: Samsung Exynos Application Processors, Communication Processor, SIM, NFC, Secure Element
  • Hardware
    All products that haven't reached EOS (End Of Service) yet as of the date of report
  • Software
    All software authored by Samsung Electronics Device Solutions, which is embedded in the latest publicly available hardware within the scope above
We will not reward:
  • Non-security related bugs.
  • General Denial of Service ("DoS") issues triggered by a local access vector; provided that certain DoS issues satisfying specific conditions may qualify for a reward (See Eligibility Requirements section below for details); or
  • Micro-architectural side-channel attacks
  • In cases where the reported vulnerability does not provide any benefit to the attacker, such as when the vulnerability only allows deleting files or rebooting the system with root privileges
  • Availability issues arising from the use of a fake base station
Eligibility Requirements
  • Issues must not already be known by Samsung (e.g., not already public, not already found by us during a pen test, not already reported by another user, etc.)
    Only the first report of vulnerability will be considered for a reward.
  • The issue of software must occur on the latest publicly available version of Hardware defined the scope.
  • Security reports are required to provide clear Proof of Concepts ("PoCs"). Without PoCs, its reward and Common Vulnerabilities and Exposures ID ("CVE ID") registration would not be guaranteed.
  • All information related to the vulnerability must not be disclosed to the public until it is publicly disclosed by Samsung Electronics.
  • Only individuals are considered for the qualification of reward.
  • Customers, partners, contractors of or anyone with business/contractual relationships with Samsung Electronics are not eligible for rewards.
  • Employees of Samsung Electronics and its affiliates are not eligible for rewards.
  • DoS issues triggered by a local access vector would be considered eligible vulnerabilities only if security impact is proved by PoC or its damaged availability lasts even after system-rebooting.


The reward will be provided based on the type and severity of security issues within the scope described above and the comprehensiveness of the report. Rewards are provided at the sole discretion of Samsung Electronics.

Additional Terms and Conditions

  • You must not damage, disrupt or otherwise interfere with the property or data of Samsung Electronics or any other parties.
  • You must comply with all applicable laws, including local laws of the country of your residence or the location where you purchase or access Samsung Electronics devices or services.
  • Your participation in our Bug Bounty reward program must be in good faith, and any related action should only be performed strictly for the purposes of reporting an issue within the scope of the Bug Bounty reward program. Any attempt to copy, decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, techniques or algorithms in Samsung Electronics' hardware, software or services for any other purpose is not permitted.
  • Reward payments may not be provided if you are an individual, entity or in any country subject to an embargo, sanction or other restriction by an applicable governmental entity.
  • You are responsible for all applicable tax liability with respect to the reward payment.
  • Samsung Electronics, at its sole discretion, may reject any submission that it determines does not comply with our terms and conditions.
  • The terms and conditions of the Bug Bounty reward program, including the scope and eligibility requirements, are subject to change at any time at Samsung Electronics' sole discretion.

Security Bulletins

This Security Bulletin provides details on security updates for Samsung Device Solution customers to enhance our product security. The link below addresses the Common Vulnerabilities, Exposures (CVE) IDs of the vulnerabilities and the affected products.