Noticeboard
back

2015 Xiaomi Security Reward Program

Post by adminQ at 2015-03-10 18:34:32

Effective from March 1st, 2015 to 2016

I. Basic principles

The security of our products is very important to us, and we constantly strive to guarantee our users’ security. The Mi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies.

To protect the interests of our users, we thank and give back to white-hat hackers who help us improve security.

We oppose and condemn the actions of hackers who use vulnerability testing as an excuse to exploit and damage our products and/or harm the interests of our users, this includes, but is not limited to, exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing or stealing data from related system services, or maliciously disseminating vulnerabilities or data. We will pursue legal action against parties who commit the actions described above.

II. Responsible vulnerability disclosure

Create an account and sign in at https://sec.xiaomi.com

Provide complete personal information

Submit vulnerability report online

Mi Security Center (hereafter referred to as MiSRC) team will review the vulnerability and change it’s status. Depending on the severity of the vulnerability, we will complete the review within seven working days. If required, we ask that the reporter communicates with our team to confirm the vulnerability.

Reporter can check the status of their reported vulnerability, and can communicate any objections to the Mi Security Center team seven days after the vulnerability is confirmed, with particular references to resolution of the dispute.

On the last day of every month, MiSRC will review vulnerabilities for that month, and publish reward information (on this message board and on Weibo) within the following three work days.

Reporter provides detailed information and collects reward.

III. Vulnerability Assessment Standard

According to the applicable scenarios, vulnerabilities will be assessed in two general categories: traditional vulnerabilities and mobile vulnerabilities. The potential harm of a reported vulnerability will be graded on the following 5-tier scale: Major, High, Medium, Low, and Minor.

Traditional security vulnerabilities: System network, servers, and web client vulnerabilities, etc.

Major:

RMB 2,000 - RMB 50,000 reward for vulnerabilities that involve:

1. Directly obtaining system permissions (server permissions), including, but not limited to, arbitrary commands executed remotely, code execution, arbitrary files uploaded to obtain Webshell, buffer area overflows, SQL injection to obtain root permissions, server analysis vulnerabilities, files that contain and can be used to obtain important data, etc.

2. Logic design flaws, including, but not limited to, the ability to arbitrarily sign in to Mi Accounts, change Mi Account passwords, view sensitive account data, bypass SMS or email verification.

3. Sensitive data vulnerabilities, including, but not limited to, core DB SQL injection vulnerabilities, vulnerabilities of sensitive data for millions of account.

4. Major security matters. Provide proof of invasion and intruder information etc.

High:

RMB 500 - RMB 2,000 reward for vulnerabilities that involve:

1. Directly stealing user identity information, including, but not limited to, core DB SQL injection vulnerabilities, obtaining sensitive information or running sensitive operations on important web pages with stored XSS.

2. Unauthorized sensitive operations, including, but not limited to, unauthorized changes to important account information, creating orders, and other important unauthorized operations.

3. Unauthorized data access, including, but not limited to, bypassing verification to access backend clients, weak backend sign-in passwords, weak non-critical system SSH passwords, weak database passwords, unauthorized account access to sensitive data, etc.

4. Vulnerabilities that have a widespread effect on users, including, CSRF involving exchanges, cash, or passwords.

Medium

RMB 100 - RMB 500 reward for vulnerabilities that involve:

1. Requiring interaction from users, including, but not limited to, reflected XSS (including DOM-XSS) that can obtain users’ key information, stored XSS in common pages that don’t contain sensitive information, CSRF for important and sensitive operations.

2. Common data vulnerabilities, including, but not limited to, web path traversal, system path traversal, non-core product line or exploiting more difficult SQL injection vulnerabilities.

3. Common logic design flaws, including, but not limited to, unlimited sending of SMS or email, etc.

Low

RMB 10 - RMB 100 reward for vulnerabilities that involve:

1. Minor data vulnerabilities, including, but not limited to, SVN file vulnerabilities, git file vulnerabilities, LOG file vulnerabilities, PHPinfo, etc.

2. Hard to exploit, lurking vulnerabilities, including, but not limited to, stored XSS that cannot obtain users’ key data, exploitable Self-XSS, parameters required to construct and affect CSRF, URL redirect, etc.

Minor

No monetary reward for vulnerabilities that involve:

1. Bugs that don’t involve security vulnerabilities, including, but not limited to, product feature flaws, garbled pages, mixed type styles, etc.

2. Unexploitable vulnerabilities, including, but not limited to, scanner reports without meaningful vulnerabilities (e.g. out-dated Web Server version), Self-XSS, JSON hijacking of non-sensitive data, CSRF for non-sensitive operations, data vulnerabilities with no significance.

3. Vulnerabilities that cannot be produced or other issues, including, but not limited to those based on conjecture.

Mobile client vulnerabilities: Security vulnerabilities that center-around MIUI mobile client. Including the MIUI ROM, apps developed by Xiaomi, and Mi Home devices.

Major:

RMB 1,000 - RMB 10,000 reward for vulnerabilities that involve:

1. Obtaining root access, including, but not limited to, changes to stock Android made by Xiaomi that allow users to directly obtain root access, remote command execution, changes to stock Android made by Xiaomi that create Browser ”use after free” vulnerabilities, compromise Google’s sandbox or TrustZone, remote kernel code command vulnerabilities and other code execution problems caused by logic flaws.

2. Major logic design flaws, including, but not limited to, accessing sensitive data by bypassing lockscreen or other security measures. Changes made by Xiaomi apps that change arbitrary account password information, or obtain arbitrary account data from the cloud, etc.

High:

RMB 500 - RMB 1,000 reward for vulnerabilities that involve:

1. Unauthorized access to sensitive data, including, but not limited to, affecting service Broadcast information, faking Android component permissions.

2. Sensitive data vulnerabilities, including, but not limited to, directly exploiting app local SQL injections, moving API access summaries, etc.

3. Important product client Cross Site Scripting vulnerabilities that allow unwanted parties to obtain sensitive information or execute sensitive operations.

Medium

RMB 100 - RMB 500 reward for vulnerabilities that involve:

1. General unauthorized operations, including, but not limited to, inaccurate direct target use.

2. General data vulnerabilities, including, but not limited to, plain text passwords stored in client.

3. Remote denial-of-service, including, but not limited to, client remote denial-of-service (special characters, file format).

4. Incorrect settings, including, but not limited to, core apps trusting certificates from non-third party components.

Low

RMB 10 - RMB 100 reward for vulnerabilities that involve:

1. Local SQL injections for non-sensitive app data.

2. Local denial-of-service vulnerabilities. Exposed important apps, because of

Android component permissions, common apps permissions issues, etc.

3. Mobile app remote code execution vulnerabilities that require a ”Man-in-the-Middle attack” must provide an effective PoC.

Minor

No monetary reward for vulnerabilities that involve:

1. Bugs that don’t involve security vulnerabilities, including, but not limited to, product feature flaws, garbled pages, mixed type styles, etc.

2. Unexploitable vulnerabilities, including, but not limited to, scanner reports without meaningful vulnerabilities (e.g. out-dated Web Server version), Self-XSS, JSON hijacking of non-sensitive data, CSRF for non-sensitive operations, data vulnerabilities with no significance.

3. Vulnerabilities that cannot be produced or other issues, including, but not limited to those based on conjecture.

IV. Vulnerability Assessment Principles

The vulnerability scale is only applicable to Xiaomi products and services. Domain names include, but are not limited to, .mi.com, .miui.com, .xiaomi.com, .duokan.com, *.miwifi.com. Servers include Xiaomi’s operations servers. Products include: Mi Phone, Redmi, Mi Router, Mi TV, Mi Pad, Mi Box, Mi Band, Mi Air Purifier, Blood Pressure Monitor, Xiao Yi Smart Camera. Issues involving non-Xiaomi products and services developed and operated by companies in which Xiaomi has invested, joint ventures, cooperative areas, may not be handled in accordance with the protocol described above. Xiaomi will not review vulnerabilities that do not involve Xiaomi.

Rewards are limited to vulnerabilities that are being reported for the first time to the Mi Security Center. Vulnerabilities that have already been reported on other platforms, or have been reported previously are not eligible for a reward.

The following conditions apply to common third-party products:

1) Server-side: Including, but not limited to, vulnerabilities in products currently used by Xiaomi, such as WordPress, phpcms, discuz, Flash plugins, Apache server side plugins, OpenSSL, third-party SDKs, etc. If the vulnerability has been publicly reported within one month or if Xiaomi has already learned of this vulnerability via another channel, it is not eligible for a reward. If Xiaomi is unaware of this vulnerability or the vulnerability has been publicly reported over one month ago and Xiaomi has not fixed this vulnerability, the reporter is eligible for a reward and vulnerability will not be graded above a ”Medium” level.

2) Client-side: Including, but not limited to, existing vulnerabilities in Android, common app vulnerabilities, etc. If the vulnerability has been publicly reported within three months or if Xiaomi has already learned of this vulnerability via another channel, it is not eligible for a reward. If Xiaomi is unaware of this vulnerability or the vulnerability has been publicly reported over three months ago and Xiaomi has not fixed this vulnerability, the reporter is eligible for a reward and the vulnerability will not be graded above a ”Medium” threat level.

Multiple vulnerabilities stemming from a single vulnerability will be grouped together and assessed as a single vulnerability.

With regards to a single URL link, if there are several vulnerabilities in multiple parameters, they will be grouped accordingly. The reward will be paid according to single highest threat in a group of vulnerabilities.

When reporting vulnerabilities, be as detailed and methodical as possible. The reporter should provide vulnerability details, vulnerability principles, method of exploitation, suggestions to repair the vulnerability as well as a detailed impact assessment of the vulnerability. Not providing the associated PoC or exploit will directly affect our assessment of the vulnerability.

The threat level of the vulnerability will be determined by how easy it is to exploit, the severity, and it’s applicable scope.

Scanner results without proof of potential harm will be rejected.

Xiaomi reserves the right to take legal action against those who use vulnerability testing as an excuse to harm the interests of our users, interrupt our services, or steal user data.

V. Reward Payment Protocols

Mi Security Team uses 2 methods of payment. Cash payment is awarded for eligible vulnerabilities. The size of the payment is determined by the threat level. Special monthly prizes are also awarded based on the quality of vulnerabilities (see point 5).

On the last day of the month, the Mi Security Team, will calculate payments for all eligible vulnerabilities for that month and publish a notice on this message board and on Weibo. Payment will be issued within 10 business days. If there is any problem with the payment, we will actively contact the reporter.

If the last day of the month is a weekend or holiday, review will begin on the last working day of the month. The normal timeline for announcements and payments will resume on the next business day. For example, if 31/1/2015 is a Saturday, Mi Security Center would begin reviewing and calculating awards on 2/2/2015 for the preceding month of January. The results for the previous month would be published in the 3 day span of 2/2/2015 to 2/5/2015.

The recipient of the reward must provide his or her full legal name, bank account information, legal identification number, and bank information. If the award payment exceeds RMB 800, he or she must provide legal identification information to collect payment. This information will only used for payment, and will not be shared with third-parties.

In order to encourage reporters to submit high-quality vulnerability reports, every month there will be a special prize determined by the quality of the reports given to an unspecified number of reporters. At present, the award will be set as a 16G Mi 4 (though this is subject to change from month to month). Reporters who meet either of the following two criteria are eligible to receive this prize.

1.Reporter must have submitted a confirmed ’Major’ vulnerability that month.

2.Reporter’s award payment must exceed RMB 2,000, the vulnerability risk level must be at least ”high”.

VI. Dispute resolution

If the reporter disagrees with the Mi Security Center’s assessment of the reported vulnerability or has another objection, he or she can contact management. Mi Security Center will respond in the interests of the reporters, and if necessary, may introduce a third-party for arbitration.

Mi Security Team reserves right of ultimate interpretation of the Rewards Program, and invites white hats to offer comments and suggestions.

Contact QQ group: 321 681 022.

—   联系我们   —

新浪微博

公众号