Samsung offers $1M bounty for ethical hackers to crack Knox Vault

In a bold move aimed at bolstering its cybersecurity measures, Samsung Electronics is offering a $1 million payout to anyone who can successfully find and exploit security vulnerabilities in its Knox Vault processor and storage offering.

Building on the protection provided by TrustZone, Samsung’s Trusted Execution Environment (TEE) designed to safeguard sensitive information like passwords, biometrics, and cryptographic keys, Knox Vault offers an enhanced layer of security. Unlike TrustZone, which operates alongside Android on the main application processor, Knox Vault functions independently from the primary processor running the Android OS.

The announcement, made through Samsung’s official security portal, details a vulnerability that affects a range of its mobile devices. According to the information released, the security flaw could potentially allow unauthorized access to sensitive data or grant elevated permissions under specific conditions.

The $1 million bounty is being offered as part of Samsung’s expanded efforts to engage with the global cybersecurity community. The company is specifically interested in seeing a demonstration of the vulnerability being exploited in a controlled environment. To qualify for the bounty, participants must provide a detailed report and proof of concept, ensuring the exploit aligns with the parameters set by Samsung’s security team.

To earn the reward, those willing to attempt will need to demonstrate exploitation using a zero-click method to break into a Galaxy S or Z handset as a non-privileged user and obtain credentials. Hackers must also show that they can access credential-related data stored in Knox Vault.

The Galaxy S24 features under-display fingerprint biometric technology from Suprema and Qualcomm.

Samsung’s decision to offer such a substantial reward is part of a broader trend among tech companies that increasingly rely on bug bounty programs to uncover and address security vulnerabilities. These programs have proven to be effective in incentivizing researchers and ethical hackers to collaborate with companies in fortifying their systems.

Last year, similar to Samsung, Shufti Pro introduced a bug bounty program to enhance the security and reliability of its biometric identity verification software, and in 2022, Onfido also opened a bug bounty program for cybersecurity researchers and ethical hackers to help it improve its digital identity platform.

Article Topics

bug bounty  |  cybersecurity  |  Samsung  |  trusted execution environment