公告
back

Xiaomi Security Reward Program

由 Minute 于 2017-08-22 11:03:42 发表

I. Basic principles

The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies.

To protect the interests of our users, we thank and reward white-hat hackers who help us improve security.

We oppose and condemn the actions of hackers who use vulnerability testing as an excuse to exploit and damage our products or harm the interests of our users, this includes, but is not limited to, exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing or stealing data from related system services, or maliciously disseminating vulnerabilities or data. We will pursue legal actions against parties who commit the actions described above.

 

II. Responsible vulnerability disclosure

1.Create an account and sign in at https://sec.xiaomi.com

2.Provide complete personal information

3.Submit vulnerability report online

4.OR send the full report to security@xiaomi.com

 

Xiaomi Security Center (hereafter referred to as MiSRC) team will review the vulnerability and update its status. Depending on the severity of the vulnerability, we will complete the review within seven working days. If required, we will contact the reporter to communicate with our team to confirm the vulnerability.

Reporter can check the status of their reported vulnerability, and can communicate any objections to the Xiaomi Security Center team seven days after the vulnerability is confirmed, with particular references to resolution of the dispute.

On the last day of every month, MiSRC will review vulnerabilities for that month, and publish reward information (on noticeboard) within the following seven working days.

Reporter can provide detailed information to collect rewards.

 

III. Vulnerability Assessment Standard

According to the applicable scenarios, vulnerabilities will be assessed in four general categories: web vulnerabilities, mobile client vulnerabilities, smart hardware vulnerabilities and invalid vulnerabilities. The potential harm of a reported vulnerability will be graded on the following 5-tier scale: Major, High, Medium, Low, and Minor.

 

Web:

Important business: Mi store,Mi home store ,Mipay ect.

General business: Some system operating platforms,operation systems,

business branch systems, Community and Forums

Severity

Vulnerabilities

Score

Major

  1. Directly obtain system  permissions, including but not limited to, SQL injection, remote overflows etc. 

  2. Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQL injection etc. 

  3. Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss

  4. Damage xiaomi account system vulnerabilities, such as obtain users' details, login mi cloud and control phone, obtain mipay authority etc.

Important business:10000~20000

General business:4000~10000

High

  1. Including but not limited SQL injection

  2. Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes

  3. Weak password or bypass verification to access backend clients and with some actual authority or sensitive information

  4. Obtain partial users' sensitive information

  5. Code disclosure vulnerabilities make a huge impact

  6. SSRF intranet return intranet information

  7. Login individual accounts vulnerabilities by user interaction and have actual user operating authority

  8. Privilege escalation which makes great damage to key functions

Important business:2000~3000
  

General business:600~2000

Medium

  1. Few users' information disclosure

  2. Stored XSS vulnerabilities 

  3. Privilege escalation which cause some damage such as edit, delete comments, change the functional properties etc.

  4. File contains and directory traversal vulnerabilities which could view some parts of sensitive information

  5. Code disclosure but can not make use

  6. SSRF intranet no echo or partial echo but can not get information and service permissions

  7. Github disclosure such as employee's mailboxes and online server account passwords etc.

  8. CSRF key functions


Important business:500~800


  General business:300~500

Low

  1. Reflected XSS 

  2. Github disclosure such as employees' test server account passwords which live within the intranet

  3. CSRF normal functions

  4. Temporary file traversal

  5. Phpinfo

  6. Jump URLs

  7. Mail bombing


  8. Confirmed as a vulnerability but hard to exploit

  9. Not sensitive information leak such as SVN, Git etc.

  10. SMS bombing

Important business:100~200


General business:10~50

 

Important business: Mi store,Mi home store app ,MIUI own vulnerabilities(not included third party components, android native environment vulnerabilities)

General business: Xiaomi community, branch business app

 

Client and server interaction vulnerability fits web business layer can use web layer assessment standard

 

Mobile Clients Vulnerability,add scores to report details and be divide into three levels

1.Low

Score point from 0.0~0.3

Report only provide test code, no analysis process, no exploit process, no hazard statement, no poc, exp report,

2.Medium

Score point from 04~0.7

Report has analysis process, but no poc, exp report

3.High

Score point from 0.8~1

Report is complete including test code, analysis process, exploit ways, hazard statement and provide poc,exp report.

Final score equals to vulnerability score multiplied report quality score

Severity

Vulnerabilities

Score

Major

  1. Severe logic vulnerabilities which could make user economic losses

  2. Obtain system root permission

  3. Remote command execution

  4. Remote access to user sensitive information

Important business:10000~20000


General business:5000~10000

High

  1. Remote access to most   partial users' sensitive information

  2. Vulnerability which has useless to attacker but may lead to great loss to users

  3. Need some interactive logic so that can lead to users' great loss

  4. Obtain system permission

  5. Bypass the lock screen on system-level (need test the latest development   versions and universal can be reproduced)

Important business:2000~4000


General business:2000~3000

Medium

  1. Vulnerability which can make system restart or some feathers deny service by installing app

  2. Hijacking cause some harm

  3. Interface logic vulnerability which can deceive users or fishing etc.

  4. Bypass lock screen on app level

Important business:500~1000


General business:200~500

Low

  1. App unsafe configuration

  2. Low risk information disclosure

  3. Vulnerability which can be exploited in a complex condition

  4. General function hijacking

Important business:100~200


General business:10-100

 

Smart hardwares:

Important business: Such as popular video smart hardwares, Xiaomi Router etc.

General business: Such as xiaomi radio, xiaomi smart light etc.

 

Severity

Vulnerabilities

Score

Major

  1. Severe logic vulnerabilities which could make user economic losses

  2. Obtain system root permission

  3. Remote command execution

  4. Remote access to user sensitive information

Important business:10000~20000


General business:5000~10000

High

  1. LAN command execution

  2. Obtain users' sensitive information

  3. Remote deny service

Important business:5000~10000


General business:2000~4000

Medium

  1. LAN deny service

  2. Interaction leads to deny service

  3. Not important function's privilege escalation and logic vulnerability

  4. Vulnerability which can be exploited in more harsh environment

Important business:1000~2000


General business:800~1000

Low

  1. Unsafe configuration

  2. Low risk information disclosure

Important business:200~500


General business:100~200

Findings not eligible for bounty:

  • Vulnerabilities affecting outdated browsers or platforms

  • Recently disclosed 0-day vulnerabilities

  • "Self" XSS

  • Text injection

  • Path leak, debugging information leaked

  • Missing cookie flags

  • Session login out

  • SSL/TLS best practices

  • Information disclosures

  • Mixed content warnings

  • Denial of Service attacks

  • "HTTP Host Header" XSS

  • Clickjacking/UI redressing

  • Missing crumb parameters

  • Software version disclosure

  • Account/e-mail enumeration

  • Reflected file download attacks

  • Incomplete or missing SPF/DKIM

  • Physical or social engineering attacks

  • Results of automated tools or scanners

  • Login/logout/unauthenticated/low-impact CSRF

  • Presence of autocomplete attribute on web forms

  • Query manipulation that exposes tables or info via YQL

  • Self-exploitation (i.e. password reset links or cookie reuse)

  • Issues related to networking protocols or industry standards

  • Use of a known-vulnerable library (without proof of exploitability)

  • Descriptive/verbose/unique error pages (without proof of exploitability)

  • Missing security-related HTTP headers which do not lead directly to a vulnerability

IV. Dispute resolution

If the reporter disagrees with the MiSRC's assessment of the reported vulnerability or has another objection, he or she can contact management. 

MiSRC reserves right of ultimate interpretation of the Rewards Program, and invites white hats to offer comments and suggestions.

Contact QQ group: 321 681 022.


V. Reward Payment Protocols

On the last day of the month, Xiaomi Security Center, will calculate payments for all eligible vulnerabilities for that month and publish a notice on this notice board. Payment will be issued within 10 business days. If there is any problem with the payment, we will actively contact the reporter.

If the last day of the month is a weekend or holiday, review will begin on the last working day of the month. The normal timeline for announcements and payments will resume on the next business day. For example, if 31/1/2015 is a Saturday, Xiaomi Security Center would begin reviewing and calculating awards on 2/2/2015 for the preceding month of January. The results for the previous month would be published in the 3 day span of 2/2/2015 to 2/5/2015.