The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies.
To protect the interests of our users, we thank and reward white-hat hackers who help us improve security.
We oppose and condemn the actions of hackers who use vulnerability testing as an excuse to exploit and damage our products or harm the interests of our users, this includes, but is not limited to, exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing or stealing data from related system services, or maliciously disseminating vulnerabilities or data. We will pursue legal actions against parties who commit the actions described above.
1.Create an account and sign in at https://sec.xiaomi.com
2.Provide complete personal information
3.Submit vulnerability report online
4.OR send the full report to firstname.lastname@example.org
Xiaomi Security Center (hereafter referred to as MiSRC) team will review the vulnerability and update its status. Depending on the severity of the vulnerability, we will complete the review within seven working days. If required, we will contact the reporter to communicate with our team to confirm the vulnerability.
Reporter can check the status of their reported vulnerability, and can communicate any objections to the Xiaomi Security Center team seven days after the vulnerability is confirmed, with particular references to resolution of the dispute.
On the last day of every month, MiSRC will review vulnerabilities for that month, and publish reward information (on noticeboard) within the following seven working days.
Reporter can provide detailed information to collect rewards.
According to the applicable scenarios, vulnerabilities will be assessed in four general categories: web vulnerabilities, mobile client vulnerabilities, smart hardware vulnerabilities and invalid vulnerabilities. The potential harm of a reported vulnerability will be graded on the following 5-tier scale: Major, High, Medium, Low, and Minor.
Important business: Mi store，Mi home store ,Mipay ect.
General business: Some system operating platforms,operation systems,
business branch systems, Community and Forums
Important business: Mi store，Mi home store app ,MIUI own vulnerabilities(not included third party components, android native environment vulnerabilities)
General business: Xiaomi community, branch business app
Client and server interaction vulnerability fits web business layer can use web layer assessment standard
Mobile Clients Vulnerability，add scores to report details and be divide into three levels
Score point from 0.0~0.3
Report only provide test code, no analysis process, no exploit process, no hazard statement, no poc, exp report,
Score point from 04~0.7
Report has analysis process, but no poc, exp report
Score point from 0.8~1
Report is complete including test code, analysis process, exploit ways, hazard statement and provide poc,exp report.
Final score equals to vulnerability score multiplied report quality score
Important business: Such as popular video smart hardwares, Xiaomi Router etc.
General business: Such as xiaomi radio, xiaomi smart light etc.
Findings not eligible for bounty:
Vulnerabilities affecting outdated browsers or platforms
Recently disclosed 0-day vulnerabilities
Path leak, debugging information leaked
Missing cookie flags
Session login out
SSL/TLS best practices
Mixed content warnings
Denial of Service attacks
"HTTP Host Header" XSS
Missing crumb parameters
Software version disclosure
Reflected file download attacks
Incomplete or missing SPF/DKIM
Physical or social engineering attacks
Results of automated tools or scanners
Presence of autocomplete attribute on web forms
Query manipulation that exposes tables or info via YQL
Self-exploitation (i.e. password reset links or cookie reuse)
Issues related to networking protocols or industry standards
Use of a known-vulnerable library (without proof of exploitability)
Descriptive/verbose/unique error pages (without proof of exploitability)
Missing security-related HTTP headers which do not lead directly to a vulnerability
If the reporter disagrees with the MiSRC's assessment of the reported vulnerability or has another objection, he or she can contact management.
MiSRC reserves right of ultimate interpretation of the Rewards Program, and invites white hats to offer comments and suggestions.
Contact QQ group: 321 681 022.
On the last day of the month, Xiaomi Security Center, will calculate payments for all eligible vulnerabilities for that month and publish a notice on this notice board. Payment will be issued within 10 business days. If there is any problem with the payment, we will actively contact the reporter.
If the last day of the month is a weekend or holiday, review will begin on the last working day of the month. The normal timeline for announcements and payments will resume on the next business day. For example, if 31/1/2015 is a Saturday, Xiaomi Security Center would begin reviewing and calculating awards on 2/2/2015 for the preceding month of January. The results for the previous month would be published in the 3 day span of 2/2/2015 to 2/5/2015.