The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies.
To protect the interests of our users, we thank and reward white-hat hackers who help us improve security.
We oppose and condemn the actions of hackers who use vulnerability testing as an excuse to exploit and damage our products or harm the interests of our users, this includes, but is not limited to, exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing or stealing data from related system services, or maliciously disseminating vulnerabilities or data. We will pursue legal actions against parties who commit the actions described above.
1.Create an account and sign in at https://sec.xiaomi.com
2.Provide complete personal information
3.Submit vulnerability report online
4.OR send the full report to firstname.lastname@example.org
Xiaomi Security Center (hereafter referred to as MiSRC) team will review the vulnerability and update its status. Depending on the severity of the vulnerability, we will complete the review within seven working days. If required, we will contact the reporter to communicate with our team to confirm the vulnerability.
Reporter can check the status of their reported vulnerability, and can communicate any objections to the Xiaomi Security Center team seven days after the vulnerability is confirmed, with particular references to resolution of the dispute.
On the last day of every month, MiSRC will review vulnerabilities for that month, and publish reward information (on noticeboard) within the following seven working days.
Reporter can provide detailed information to collect rewards.
According to the applicable scenarios, vulnerabilities will be assessed in four general categories: web vulnerabilities, mobile client vulnerabilities, smart hardware vulnerabilities and invalid vulnerabilities. The potential harm of a reported vulnerability will be graded on the following 5-tier scale: Major, High, Medium, Low, and Minor.
Important business: Mi store，Mi home store ,Mipay ect.
General business: Some system operating platforms,operation systems,
business branch systems, Community and Forums
Important business: Mi store，Mi home store app ,MIUI own vulnerabilities(not included third party components, android native environment vulnerabilities)
General business: Xiaomi community, branch business app
Client and server interaction vulnerability fits web business layer can use web layer assessment standard
Mobile Clients Vulnerability，add scores to report details and be divide into three levels
Score point from 0.0~0.3
Report only provide test code, no analysis process, no exploit process, no hazard statement, no poc, exp report,
Score point from 04~0.7
Report has analysis process, but no poc, exp report
Score point from 0.8~1
Report is complete including test code, analysis process, exploit ways, hazard statement and provide poc,exp report.
Final score equals to vulnerability score multiplied report quality score
Important business: Such as popular video smart hardwares, Xiaomi Router etc.
General business: Such as xiaomi radio, xiaomi smart light etc.
Meaningless csrf or low risk CSRF
Temporary files with no sensitive information
Low risk vulnerability and hard to exploit
Internal known vulnerability
Low versions but no actual harm and system components hard to exploit
Same parameters or lots of requests to the same function will be assessed as one vulnerability
Partial pressure will be assessed as one vulnerability
Non-security issues bug
Click hijacking without any actual security effect
If the reporter disagrees with the MiSRC's assessment of the reported vulnerability or has another objection, he or she can contact management.
MiSRC reserves right of ultimate interpretation of the Rewards Program, and invites white hats to offer comments and suggestions.
Contact QQ group: 321 681 022.