Vulnerability reporting

Samsung Security Bulletin

Samsung provides vulnerability disclosures monthly. These outline Samsung Vulnerabilities and Exposures (SVEs) and Common Vulnerabilities and Exposures (CVEs) that may be patched with the next Security Maintenance Release (SMR). Given SMR versions are tied to the Android Security Patch Level (ASPL), some SVEs may not be patched on all devices in the subsequent month due to patch distribution from chipset vendors, carrier testing, or other factors. See the Security Updates bulletin for the latest information on patch rollout of SVEs.

The CVEs contained on Samsung’s security bulletin are released following official disclosure from the Android Security Bulletin, alongside any relevant CVEs only applicable to Samsung devices. SVEs have a matching CVE that can be found on our security bulletin.

Vulnerability management

Due to limited insight into the patch distribution and vulnerability attribution for third party tools, vulnerabilities may be mapped incorrectly for Samsung Galaxy devices as a result of differences in device hardware, software, and other factors across device models. We strongly encourage our customers to leverage Knox Asset Intelligence for accurate vulnerability management and as a source of vulnerability information into third party tools.

Bug Bounty Program

To improve the security and privacy of our products and minimize risk to end users, Samsung offers a rewards program for eligible security vulnerability reports. Through this reward program, we hope to build and maintain valuable relationships with researchers who coordinate the disclosure of security issues with Samsung Mobile.

To ensure a smooth and timely operation when submitting an eligible bug to our program, please carefully read the requirements and guidelines captured on our Security reporting site.