Xiaomi Security Reward Program

Post by Pa0er at 2017-08-22 11:03:42

I. Basic principles 

The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. 

To protect the interests of our users, we thank and reward white-hat hackers who help us improve security. 

We oppose and condemn the actions of hackers who use vulnerability testing as an excuse to exploit and damage our products or harm the interests of our users, this includes, but is not limited to, exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing or stealing data from related system services, or maliciously disseminating vulnerabilities or data. We will pursue legal actions against parties who commit the actions described above. 


II. Responsible vulnerability disclosure 

Xiaomi Security Center (hereafter referred to as MiSRC) team will review the vulnerability and update its status. Depending on the severity of the vulnerability, we will complete the review within seven working days. If required, we will contact the reporter to communicate with our team to confirm the vulnerability. 

Reporter can check the status of their reported vulnerability, and can communicate any objections to the Xiaomi Security Center team seven days after the vulnerability is confirmed, with particular references to resolution of the dispute.


III. Vulnerability Assessment Standard

According to the applicable scenarios, vulnerabilities will be assessed in four general categories: web vulnerabilities, mobile vulnerabilities, smart hardware vulnerabilities and invalid vulnerabilities. The potential harm of a reported vulnerability will be graded on the following 4 or 3-tier scale: (Critical,) High, Medium, Low 


Web vulnerabilities  

Test Range:  

  •  * 

  • * 

Out-of-Range:  Vulnerabilities of low severity will be accepted but not awarded with bounty. 


Important business: Mi store,Mi home store , Mipay  ect. General business: Some system operating platforms, operation systems, business branch systems, Community and Forums 





  1. Directly obtain system  permissions, including but not limited to, SQL injection, remote overflows etc. 

  2. Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQL injection etc. 

  3. Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss

  4. Damage xiaomi account system vulnerabilities, such as obtain users' details, login mi cloud and control phone, obtain mipay authority etc.

Important business:10000~20000

General business:4000~10000


  1. Including but not limited SQL injection

  2. Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes

  3. Weak password or bypass verification to access backend clients and with some actual authority or sensitive information

  4. Obtain partial users' sensitive information

  5. Code disclosure vulnerabilities make a huge impact

  6. SSRF intranet return intranet information

  7. Login individual accounts vulnerabilities by user interaction and have actual user operating authority

  8. Privilege escalation which makes great damage to key functions

Important business:2000~3000

General business:600~2000


  1. Few users' information disclosure

  2. Stored XSS vulnerabilities 

  3. Privilege escalation which cause some damage such as edit, delete comments, change the functional properties etc.

  4. File contains and directory traversal vulnerabilities which could view some parts of sensitive information

  5. Code disclosure but can not make use

  6. SSRF intranet no echo or partial echo but can not get information and service permissions

  7. Github disclosure such as employee's mailboxes and online server account passwords etc.

  8. CSRF key functions


Important business:50~80

  General business:30~50


1. reflected xss 

2. Insensitive information disclosure from third-party platform like Github. 

3. CSRF in non-critical business. 

4. temporary file disclosure 

5. Phpinfo 

6. unchecked url-redirection 

7. mail bombing 

8. sms bombing 

9. debug info disclosure 

10. vulnerabilities depended on difficult scenarios or pre-conditions 

11. Insensitive .svn or .git disclosure 

No bounty


Mobile vulnerabilities 

Test Range Apps of Xiaomi Inc. 

Important Business:  MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService

General Business: Other App of Xiaomi Inc. and App preinstalled in MIUI 

Out-of-Range:  Vulnerabilities of low severity will be accepted but not awarded with bounty. 


Notice The vulnerabilities involved in the scene that apps interact with web server which adjust to the web vulnerabilities standard will be evaluated by web security standard. 


The level of detail about vulnerabilities reports influence the reward. The detail is as follow: 1. Low: no poc or exp or code or documents about analysis process: coefficient is 0.0~0.3 2. Medium: documents about analysis process but no poc or exp: coefficient is 0.4~0.7 3. High: documents about analysis process and poc and exp: coefficient is 0.8~1 


All reported vulnerabilities are needed to consider about the really influence on the xiaomi business. Some vulnerabilities’ evaluation will be downgraded if the vulnerabilities’ ponderance can not be proved. 


According to the applicable scenarios, the potential harm of a reported vulnerability will be graded on the following 4-tier scale: Critical, High, Medium, and Low.





1. Severe logic vulnerabilities which could make user economic losses 

2. Obtain system root permission 

3. Remote command execution 

4. Remote access to user sensitive information 

5. Bypass the permission to access the payment data or users’ authentication data on tee 

6. Bypass the security boot, such as SELinux 

7. TEE arbitrary command execution 

8. System remote permanent deny service which influences the system’s important features such as wifi, sms and telephone.


Important business:1500~30000

General business:750~1500


1. Remote access to most   partial users' sensitive information 

2. Vulnerability which has useless to attacker but may lead to great loss to users 

3. Need some interactive logic so that can lead to users' great loss 

4. Obtain system permission 

5. Bypass the lock screen on system-level (need test the latest development   versions and universal can be reproduced) 

6. Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level 

7. Local users’ sensitive information leak 

8. Android or chromium vulnerabilities which are not fixed exceeding 6 monthes and hazardous(poc and exp) 

9. Important app remote permanent deny service

Important business:300~600

General business:300~450


1. Vulnerability which can make system restart or some feathers deny service by installing app 

2. Hijacking cause some harm 

3. Interface logic vulnerability which can deceive users or fishing etc. 

4. Bypass lock screen on app level 

5. Bypass the authentication to find phone function or reset the phone 

6. Local general users’ information leak 

7. System remote temporary deny service


Important business:75~150

General business:30~75


  1. App unsafe configuration 

  2. Low risk information disclosure 

  3. Vulnerability which can be exploited in a complex condition 

  4. Load arbitrarily url through exposed component to fishing 

No bounty


Hardware Vulnerabilities 

Test Range 

We accept vulnerabilities of the product that is listed below: 

Mi/Redmi Phone   ( , , , , , ) 

Mi Band    ( ) 

Mi Home Webcam ( , ) 

Mi Robot Vacuum  ( ) 

Mi TV Box  ( ) 

Mi Laser Projector  ( ) 

Mi TV   ( ) 

Mi Electric Scooter   ( ) 






1. Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode 

2. Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)



1. Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment. 

2. Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video) 



1. Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device 

2. Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN 


Findings not eligible for bounty:

  •  Vulnerabilities affecting outdated browsers or platforms

  • Vulnerabilities affecting outdated Mobile App

  • Local Denial of Service of Mobile App

  • Recently disclosed 0-day vulnerabilities

  • Difficult to exploit vulnerabilities

  • Unable to prove the harm of vulnerabilities

  • "Self" XSS

  • Text injection

  • Path leak, debugging information leaked

  • Missing cookie flags

  • Session login out

  • SSL/TLS best practices

  • Information disclosures

  • Mixed content warnings 

  • Denial of Service attacks

  • "HTTP Host Header" XSS

  • Clickjacking/UI redressing

  • Missing crumb parameters

  • Software version disclosure

  • Account/e-mail enumeration

  • Reflected file download attacks

  • Incomplete or missing SPF/DKIM

  • Physical or social engineering attacks

  • Results of automated tools or scanners

  • Login/logout/unauthenticated/low-impact CSRF

  • Presence of autocomplete attribute on web forms

  • Query manipulation that exposes tables or info via YQL

  • Self-exploitation (i.e. password reset links or cookie reuse)

  • Issues related to networking protocols or industry standards

  • Use of a known-vulnerable library (without proof of exploitability)

  • Descriptive/verbose/unique error pages (without proof of exploitability)

  • Missing security-related HTTP headers which do not lead directly to a vulnerability

IV. Dispute resolution

If the reporter disagrees with the MiSRC's assessment of the reported vulnerability or has another objection, he or she can contact management.  


MiSRC reserves right of ultimate interpretation of the Rewards Program, and invites white hats to offer comments and suggestions. 


—   联系我们   —