公告
back

Xiaomi Security Reward Program

由 Minute 于 2017-08-22 11:03:42 发表

I. Basic principles

The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies.

To protect the interests of our users, we thank and reward white-hat hackers who help us improve security.

We oppose and condemn the actions of hackers who use vulnerability testing as an excuse to exploit and damage our products or harm the interests of our users, this includes, but is not limited to, exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing or stealing data from related system services, or maliciously disseminating vulnerabilities or data. We will pursue legal actions against parties who commit the actions described above.

 

II. Responsible vulnerability disclosure

1.Create an account and sign in at https://sec.xiaomi.com

2.Provide complete personal information

3.Submit vulnerability report online

4.OR send the full report to security@xiaomi.com

 

Xiaomi Security Center (hereafter referred to as MiSRC) team will review the vulnerability and update its status. Depending on the severity of the vulnerability, we will complete the review within seven working days. If required, we will contact the reporter to communicate with our team to confirm the vulnerability.

Reporter can check the status of their reported vulnerability, and can communicate any objections to the Xiaomi Security Center team seven days after the vulnerability is confirmed, with particular references to resolution of the dispute.

On the last day of every month, MiSRC will review vulnerabilities for that month, and publish reward information (on noticeboard) within the following seven working days.

Reporter can provide detailed information to collect rewards.

 

III. Vulnerability Assessment Standard

According to the applicable scenarios, vulnerabilities will be assessed in four general categories: web vulnerabilities, mobile client vulnerabilities, smart hardware vulnerabilities and invalid vulnerabilities. The potential harm of a reported vulnerability will be graded on the following 5-tier scale: Major, High, Medium, Low, and Minor.

 

Web:

Important business: Mi store,Mi home store ,Mipay ect.

General business: Some system operating platforms,operation systems,

business branch systems, Community and Forums

Severity

Vulnerabilities

Score

Major

  1. Directly obtain system  permissions, including but not limited to, SQL injection, remote overflows etc. 

  2. Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQL injection etc. 

  3. Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss

  4. Damage xiaomi account system vulnerabilities, such as obtain users' details, login mi cloud and control phone, obtain mipay authority etc.

Important business:10000~20000

General business:4000~10000

High

  1. Including but not limited SQL injection

  2. Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes

  3. Stored XSS, obtaining full cookie vulnerabilities

  4. Weak password or bypass verification to access backend clients and with some actual authority or sensitive information

  5. Obtain partial users' sensitive information

  6. Code disclosure vulnerabilities make a huge impact

  7. SSRF intranet return intranet information

  8. Login individual accounts vulnerabilities by user interaction and have actual user operating authority

  9. Privilege escalation which makes great damage to key functions

Important business:2000~3000
  

General business:600~2000

Medium

  1. Few users' information disclosure

  2. Stored XSS vulnerabilities but can not obtain full cookie

  3. Privilege escalation which cause some damage such as edit, delete comments, change the functional properties etc.

  4. File contains and directory traversal vulnerabilities which could view some parts of sensitive information

  5. Code disclosure but can not make use

  6. SSRF intranet no echo or partial echo but can not get information and service permissions

  7. Github disclosure such as employee's mailboxes and online server account passwords etc.

  8. CSRF key functions

  9. SMS bombing

Important business:500~800


  General business:300~500

Low

  1. Reflected XSS 

  2. Github disclosure such as employees' test server account passwords which live within the intranet

  3. CSRF normal functions

  4. Temporary file traversal

  5. Phpinfo

  6. Jump URLs

  7. Mail bombing

  8. Path leak, debugging information leaked

  9. Confirmed as a vulnerability but hard to exploit

  10. Not sensitive information leak such as SVN, Git etc.

Important business:100~200


General business:10~50

 

Important business: Mi store,Mi home store app ,MIUI own vulnerabilities(not included third party components, android native environment vulnerabilities)

General business: Xiaomi community, branch business app

 

Client and server interaction vulnerability fits web business layer can use web layer assessment standard

 

Mobile Clients Vulnerability,add scores to report details and be divide into three levels

1.Low

Score point from 0.0~0.3

Report only provide test code, no analysis process, no exploit process, no hazard statement, no poc, exp report,

2.Medium

Score point from 04~0.7

Report has analysis process, but no poc, exp report

3.High

Score point from 0.8~1

Report is complete including test code, analysis process, exploit ways, hazard statement and provide poc,exp report.

Final score equals to vulnerability score multiplied report quality score

Severity

Vulnerabilities

Score

Major

  1. Severe logic vulnerabilities which could make user economic losses

  2. Obtain system root permission

  3. Remote command execution

  4. Remote access to user sensitive information

Important business:10000~30000


General business:5000~10000

High

  1. Remote access to most   partial users' sensitive information

  2. Vulnerability which has useless to attacker but may lead to great loss to users

  3. Need some interactive logic so that can lead to users' great loss

  4. Obtain system permission

  5. Bypass the lock screen on system-level (need test the latest development   versions and universal can be reproduced)

Important business:2000~4000


General business:2000~3000

Medium

  1. Vulnerability which can make system restart or some feathers deny service by installing app

  2. Hijacking cause some harm

  3. Interface logic vulnerability which can deceive users or fishing etc.

  4. Bypass lock screen on app level

Important business:500~1000


General business:200~500

Low

  1. App unsafe configuration

  2. Low risk information disclosure

  3. Vulnerability which can be exploited in a complex condition

  4. General function hijacking

Important business:100~200


General business:10-100

 

Smart hardwares:

Important business: Such as popular video smart hardwares, Xiaomi Router etc.

General business: Such as xiaomi radio, xiaomi smart light etc.

 

Severity

Vulnerabilities

Score

Major

  1. Severe logic vulnerabilities which could make user economic losses

  2. Obtain system root permission

  3. Remote command execution

  4. Remote access to user sensitive information

Important business:10000~50000


General business:5000~10000

High

  1. LAN command execution

  2. Obtain users' sensitive information

  3. Remote deny service

Important business:5000~10000


General business:2000~4000

Medium

  1. LAN deny service

  2. Interaction leads to deny service

  3. Not important function's privilege escalation and logic vulnerability

  4. Vulnerability which can be exploited in more harsh environment

Important business:1000~2000


General business:800~1000

Low

  1. Unsafe configuration

  2. Low risk information disclosure

Important business:200~500


General business:100~200

Minor Vulnerability:

  1. Meaningless csrf or low risk CSRF

  2. Temporary files with no sensitive information

  3. Low risk vulnerability and hard to exploit

  4. Self xss

  5. Internal known vulnerability

  6. Low versions but no actual harm and system components hard to exploit

  7. Same parameters or lots of requests to the same function will be assessed as one vulnerability

  8. Partial pressure will be assessed as one vulnerability

  9. Non-security issues bug

  10. Click hijacking without any actual security effect

  11. Others


IV. Dispute resolution

If the reporter disagrees with the MiSRC's assessment of the reported vulnerability or has another objection, he or she can contact management. 

MiSRC reserves right of ultimate interpretation of the Rewards Program, and invites white hats to offer comments and suggestions.

Contact QQ group: 321 681 022.