Bug Bounty Program

Samsung Bug Bounty for Smart TV, Audio and Displays

(as well as their or any various integrated services such as Bixby)

Samsung welcomes you to the Samsung Bug Bounty Program.
We are pleased to offer a monetary bounty for certain qualifying security bugs.

Every participant has to log a security bug in the Samsung Smart TV, Audio and Displays
which thereafter will be validated and evaluated by our security experts.

Eligibility Criteria

Scope of the Program

Our Bug Bounty reward program scope includes:
- Hardware / Software vulnerabilities on Samsung Smart TV, Audio and Displays:
  - Models from years 2020 to 2024.
- Vulnerabilities on Samsung Smart TV, Audio and Displays software:
  - Samsung Smart TV, Audio and Displays apps released by Samsung Electronics Co., Ltd..
  - Vulnerabilities on Samsung Smart TV, Audio and Displays web infrastructures that directly support the operation of Samsung Smart TV, Audio and Displays.
- Note: we do not publish the list of web infrastructures that directly support the operation of Samsung Smart TV, Audio and Displays.

We will not reward:
- Non-security related bugs.
- Vulnerabilities on any system / device / app / website not mentioned above.
- Vulnerabilities on websites providing commercial, informational or support related contents (even if related to Smart TV, Audio and Displays).
- Vulnerabilities that have little or no impact (e.g. XSS that cannot lead to any exploit on a minor website).
- Security bugs in third-party applications.
- Security bugs in third-party websites integrated with Samsung.
- Bugs that are already reported by other participant, or aware by internal reviews.
- Theoretical vulnerabilities without proof of concept.
- Denial-of-Service (DoS) attack on website.
- Bugs affecting only oneself.
- Clickjacking (Only clickjacking for logged in or authenticated sessions is allowed).

Code of Conduct

Ethical Testing
- Accessing 3rd party accounts or data (please use test accounts).
- Attempting denial of service attacks.
- Using Spam, Phishing or other social engineering techniques.
More generally, please do not attempt any unethical or illegal activity during testing.
We will not pursue legal action against security researchers who conduct testing in an ethical manner as specified above.

Rewards

Eligibility

Eligibility Requirements for a reward:
- Issue must not already be known by Samsung (e.g. not already public, not already found by us during a pen test, not already reported by another user...).
- Issue must have a significant impact.

Hall Of Fame

Participants who contributed in identifying security issues in the above defined scope will be mentioned on our Hall of Fame page.
- Note: we do not give paper certificates, letters of recommendation, etc.

Monetary Reward

We will reward qualifying bugs depending on the maximum severity of the vulnerability and the priority of the target impacted.
We will provide higher reward scores for:
- Reports on vulnerabilities regarding any Smart TV, Audio and Displays security solution. (e.g remotely compromise verified boot, kernel).
- Reports on vulnerabilities with detailed and specific information (e.g., proof of concept & source code, test case, patches).

Non-Monetary Rewards

You hereby acknowledge that the final decision to provide the reward and the amount of the reward is at Samsung’s sole and complete discretion.
- Note: we do not provide rewards in the form of Samsung devices, swag, goodies, etc.

Turnaround Time

We will make commercially reasonable efforts to meet the following turnaround time :
- Time to issue an initial response (from date of report submission) - 1 business day
- Time to issue a triage (from date of report submission) - 10 business days