[{"id":3771687,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules \u0026 Code of Conduct\n* Disclosure Policy\n* Safe Harbour\n* Response Time\n* General Assessment Rules\n* Detailed Rules and Reward Scheme\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n    * Privacy Vulnerabilities \n* Out of scope Vulnerabilities\n* FAQ\n\n----------------\n \n# Ground Rules \u0026 Code of Conduct\n* The security of our products is vital to us, and we constantly strive to guarantee our users' security. Xiaomi hopes to provide solid and comprehensive security protection to our products and services by working closely with individuals, organizations, and companies around the world. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect users' privacy - Xiaomi hopes to respect our users’ privacy, and we oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg: exploiting vulnerabilities to steal user data, editing, copying, or stealing data from related system services through the intrusion into Xiaomi’s services, or maliciously disseminating vulnerabilities which may disclose users' data.\n* Cause more good than harm - You should never leave a system or users in a more dangerous state when you find any vulnerabilities. You shall not engage in activities that may degrade, damage, or destroy the information in our systems, or that may impact our users, such as Denial of Service, social engineering, or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Note: This platform is for international white hats. White hats from Mainland China must submit reports to the Xiaomi Security Center via https://sec.xiaomi.com/\n\n ------------ \n\n# Disclosure Guidelines\n* Please do not disclose or discuss any security vulnerabilities (even resolved vulnerabilities) in Xiaomi products without express consent from Xiaomi, regardless of whether the vulnerability is involved in this bug bounty program.\n* Please follow the disclosure guidelines of HackerOne. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi will send you a thanks reward.\n\nThanks for keeping Xiaomi and our users secure and safe!\n\n--------- \n\n# Response Time\nXiaomi will make a best effort to meet the following target response time for the white hats participating in our program:\n* Time to first response (from report submission) - 2 business days\n* Time to triage (from report submission) - 10 business days\n* Time to bounty (from triage) - 14 business days\n \nWe’ll try to keep you informed about our progress.\n\nPlease _do not_ send spam messages and follow-ups if our response doesn't exceed the target response time above. We appreciate your patience.\n\n ------------ \n\n# General Assessment Rules\n* Please include as much detailed information as possible in the vulnerability report, such as the steps to reproduce the vulnerability and the expected results of each step. If the information you submit is insufficient to help us verify the vulnerability, you will not be eligible for the reward.\n* If you discover a security vulnerability through the use of automated tools or scanners, please perform a manual reproduction and provide relevant details, otherwise, the vulnerability report may be ignored or receive a smaller reward than expected.\n* If multiple vulnerability reports are submitted, all caused by the same reason, these reports will only be confirmed as ONE valid submission. For example, vulnerabilities are caused by common server configurations affecting multiple products.\n* When duplicate vulnerability reports appear, we will verify them based on the order of submission time, and the first vulnerability report that meets the confirmation requirements will be rewarded.\n* For vulnerability reports involving third-party components, we only accept unknown or 0-day vulnerabilities, and only reward the first valid submission.\n* For vulnerability reports involving the cooperative manufacturers of Xiaomi, we only confirm the vulnerabilities that affect the products and services of Xiaomi and give reasonable ratings based on the actual situation.\n* We set up a \"sheriff\" service for SSRF testing. If you believe you have found an SSRF vulnerability in our production environment, please test it via https://ssrf.dun.mi.com/ssrf/hacker. Please provide the necessary information when submitting the report based on your testing results as follows -\n    *  If there is an echo display, a complete page screenshot of the echo display (including text length, and complete/partial echo) shall be provided in the report.\n    *  If there is no echo display, the content and access time of the custom field shall be provided in the report. We will verify your submitted information.\n* For the vulnerabilities related to the data leakage from cloud storage buckets, e.g. S3, KSS, FDS, etc., the following factors will be considered before confirmation -\n    *  whether the data or link should have access restricted,\n    *  if yes, the sensitivity of the data or link is exposed to the public.\n* The final assessment result of each vulnerability report depends on multiple factors, including but not limited to the severity and risk, the difficulty of being exploited, the scope of impact, and whether there are mitigation measures.\n* Xiaomi has the final decision and interpretation rights on the final assessment results, including whether a vulnerability report should be rewarded and the specific amount of the reward\n\n\n\n------------ \n\n# Detailed Rules and Bounty Scheme\n\n\n\n## WEB VULNERABILITIES\n\n**Scope \u0026 Categorization**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge business: such as virtual banking, Xiaomi Chaoshen, financial technology, and other Xiaomi cooperative investment businesses, as well as some third-party businesses, such as imilab.com, zhimi.com, zmifi.com, etc., there are also some operation and maintenance monitoring, test pages, testing environment, and open source systems that lack access rights (according to the name to determine whether the suspected Xiaomi-related business needs internal evaluation to confirm whether it has actual impact on Xiaomi);\n\n*Please note that the above list may be updated due to business development at any time.*\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $900~$2000 | $400~$800 | $70~$110 | No Reward |\n| General Business   | $400~$800  | $150~$300 | $20~$60 | No Reward |\n| Edge Business      | $100~$200   | $30~$50 | No Reward | No Reward |\n\n*Please note that vulnerabilities with low severity will be triaged and receive reputation points accordingly, but will not be eligible for bounties.*\n\n**Examples of CRITICAL vulnerabilities**\n* Direct access to core system permissions can directly harm vulnerabilities in the intranet, including but not limited to command execution, remote overflow, and other vulnerabilities;\n* Vulnerabilities that can obtain a large amount of Xiaomi user core data or involve trade secret contracts include but are not limited to DB injection of core SQL ;\n* Payment-related vulnerabilities include but are not limited to serious logic errors, vulnerabilities that can obtain a large number of benefits and cause losses to companies and users;\n* Vulnerabilities that endanger the Xiaomi account system: If there is no interaction, any Xiaomi account login can obtain detailed user information, log in to Xiaomi Cloud to control mobile phones, user payment, and other permissions\n \n\n \n**Examples of HIGH vulnerabilities**\n* Vulnerabilities that can obtain sensitive user information, including but not limited to SQL injection from ordinary sites;\n* The logical vulnerabilities of individual activities and businesses, such as those that can obtain higher benefits, such as points and red packets;\n* Weak password or authentication information bypasses into the background, and there are actual permissions or sensitive information code leaks in the business, which can actually operate an online business and cause greater harm.\n* Can SSRF intranet, support a variety of protocols, can detect vulnerabilities in intranet services (SSRF vulnerability verification method see the points for attention in the scoring rules);\n* Vulnerabilities in specific scenarios or through some user interaction to log in to individual Xiaomi accounts and have actual user operation permissions;\n* Access to sensitive information such as core cookies or storage xss\n\n\n \n**Examples of MEDIUM vulnerabilities**\n*  General user information disclosure;\n*  Vulnerabilities that require interaction to affect users, including but not limited to stored XSS, CSRF for important sensitive operations;\n*  Destructive ultra vires, such as editing, deleting comments, changing function attributes, etc.\n*  File inclusion, directory traversal, and vulnerabilities that can view some sensitive information;\n*  Code leaks, vulnerabilities that have sensitive information but have not been successfully exploited;\n*  Can be SSRF intranet, no echo, or partial echo but failed to obtain information or service permissions vulnerability (SSRF vulnerability verification method see the scoring rules note);\n*  Vulnerabilities in Github that disclose employee email account passwords, online server account passwords, and other file uploads can only cause phishing, (important business) storage XSS vulnerabilities that are not limited by browser security policies Domxss requires strong interaction, multi-step interaction (two steps or more) to have a greater impact on users;\n*  The domain name can be hijacked arbitrarily by an attacker\n\n\n\n**Examples of LOW vulnerabilities**\n* Vulnerabilities that can obtain user information under certain circumstances, including but not limited to reflective XSS, Csrf , temporary file traversal, Url jump, SMS bombing minor information disclosure;\n* Including but not limited to debugging information, Phpinfo, SVN file disclosure, GitHub employee intranet survival test server account password and other machine log files with certain sensitive information;\n* Confirmed as a vulnerability, but there are more difficult vulnerabilities;\n* Denial of service class attacks caused by application layer defects;\n\n\n------------ \n\n## MOBILE VULNERABILITIES\n### Scope \u0026 Categorization\n* Important businesses: Latest version of Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones, MIUI vulnerabilities\n* General businesses: Single-issue apps, non-pre-installed but downloadable Xiaomi mobile apps\n* Edge businesses: Special Edition Business APP\n\n* Please note that the above list may be updated due to business development at any time.*\n\n \n### Bounty Scheme and Examples\n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $3500~$115000 | $800~$1600 | $200~$600 | $50~$100 |\n| General Business   | $700~$3000  | $400~$700 | $100~$200 | $10 |\n| Edge Business      | $300~$700   | $100~$150 | $10  | $5 |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Bypass the Secure Boot\n* Launch a permanent denial of service attack remotely, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Obtain ROOT permissions\n* Remote execution of arbitrary code in a privileged process\n* Execute arbitrary code in TEE\n* Unauthorized access to TEE-protected data (only fingerprints, faces and other data that can cause user property damage are rated as serious)\n \n\n **Examples of HIGH vulnerabilities**\n* Remotely obtain user-related sensitive information (photos, address books, audio, etc.)\n* Remotely execute arbitrary code in order to application processes\n* Remote access to protected data (data accessed by privileged processes only)\n* Local execution of arbitrary code in privileged applications, TCB, or ICE\n* System-level lock screen bypass (needs to test the latest development version and be universally reproducible)\n* Launch a permanent denial of service attack locally, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Remotely read arbitrary data in the victim APP sandbox\n* Remotely turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n* Bypassing device protection functions (e.g. mobile phone retrieval)\n* Modify security settings locally without user interaction\n* Obtain user-sensitive information locally\n \n\n**Examples of MEDIUM vulnerabilities**\n* Remotely launch a temporary denial of service attack, which can cause the system to hang or the device to restart\n*Logic vulnerabilities that can be used to deceive users\n* Locally read arbitrary data from the victim APP sandbox\n* Bypass APP lock screen bypass\n* Locally Obtain sensitive user information (for example: mobile phone number) without permission\n* Locally execute arbitrary code in ord application processes\n* Locally turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n\n \n\n\n**Examples of LOW vulnerabilities** \n* Vulnerabilities that require multiple (more than two) user interactions to trigger\n* Hijacking vulnerability in APP upgrade function\n* Requires physical contact. In some scenarios, information security-related vulnerabilities will only occur with the user cooperation\n* Obtain non-user-related sensitive information\n* Launch a temporary denial of service attack remotely, causing the application to crash and restart\n* Execute arbitrary code in restricted processes through local\n\n\n### Terminology Explanation\n**Remote**: refers to exploiting vulnerabilities to carry out attacks without installing applications or actually touching the device, including web browsing, reading SMS and MMS messages, sending and receiving emails, file downloads, and wireless network communications (excluding short-range communications with a communication distance less than 10 cm) ) and other methods.\n**Local**: Refers to exploiting vulnerabilities to carry out attacks that require the installation of applications on the victim system, or require physical contact with the device and short-range communication with a communication distance of less than 10 centimeters.\n**Restricted process**: A process that is subject to stricter permission constraints than ordinary application processes, or that runs in a highly restricted SElinux (or SEAndroid) domain.\n**Ordinary application process**: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application process or a built-in application process without system-level permissions.\n**Privileged process**: refers to applications or processes running in the system_app domain of SELinux (or SEAndroid), including processes running with system-level permissions and processes with root permissions.\n**TCB**: TCB is the abbreviation of Trusted Computing Base, which refers to the overall protection device in the computer, including hardware, firmware, software and the combination responsible for executing security policies. It establishes a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to part of the kernel and drivers, or user services equivalent to the kernel, such as init, vold, etc.\n**TEE**: TEE is the abbreviation of Trusted Execution Environment, which coexists with the Android system on the device. It is mainly used to provide Android with an operating environment for trusted computing, trusted storage , and other security services.\n**ICE**: ICE is the abbreviation of Independent Computing Environment, which refers to a combination of relatively focused functional services and an independent computing unit, firmware program, and simple OS, such as a baseband Modem.\n \n ------------ \n\n## HARDWARE VULNERABILITIES\n### Scope \u0026 Categorization\n* Xiaomi and Mijia brand hardware \u0026 IoT products. \n* For hardware \u0026 IoT products not using Xiaomi and Mijia brand, please submit the vulnerability by selecting “Other hardware assets”. \n* Important businesses: Routers, Cameras, TV,and other intelligent hardware related to user privacy, personal safety, and property security.\n* General businesses: Devices that do not store user information and do not pose significant  risks to users ,like Smart bulb. etc.\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $2000~$9000 | $800~$2000 | $200~$600 | $50~$100 |\n| General Business   | $500~$1200  | $400~$700 | $80~$150 | $10-$50 |\n\n \n **Examples of Critical vulnerabilities**\n* Vulnerabilities that could cause significant financial loss to users\n* Universal RCE  targeting different device models\n* Remotely render a device permanently inoperable\n\n **Examples of HIGH vulnerabilities**\n* Non-interactive command execution in LAN environment\n* Vulnerabilities that can acquire large amounts of detailed sensitive user information within WAN environment\n\n **Examples of MEDIUM vulnerabilities**\n* Interactive or authorized command execution in LAN environment\n* Denial-of-service (not including traffic and performance attacks)   in  WAN environment\n \n\n **Examples of LOW vulnerabilities**\n* Insecure Configuration\n* Implant malicious code or tamper with firmware into the target device physically but without dismantling the device\n* Denial-of-service (not including traffic and performance attacks) impact on the device via  LAN\n\n--------- \n\n\n## PRIVACY VULNERABILITIES\n\n**Scope**\nMobile apps preinstalled on the smartphones of Xiaomi.\n\n| App Name | Package Name |\n| :--- | :--- |\n| App Vault | com.mi.android.globalminusscreen |\n| Backup \u0026 Reset | com.miui.backup |\n| Mi Browser | com.android.browser |\n| Downloads | com.android.providers.downloads.ui |\n| File Manager | com.mi.android.globalFileexplorer |\n| Gallery | com.miui.gallery |\n| Messaging | com.android.mms.service |\n| Mi Video | com.miui.videoplayer |\n| Mi Music | com.miui.player |\n| Security Center | com.miui.securitycenter |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Fashion Gallery | com.miui.android.fashiongallery |\n| Mi Drop / ShareMe | com.xiaomi.midrop |\n| Mi Cloud | com.miui.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Recorder | com.miui.screenrecorder |\n| Services \u0026 Feedback | com.miui.bugreport |\n| System Launcher | com.miui.home |\n\n** Bounties **\n\n|  Severity  | Bounty  | \n| -------------- | ------------------ |\n| High | $500-$200 |\n| Medium | $200-$100 |\n| Low | $100-$50 |\n\nPrivacy vulnerabilities refer to violations of laws and regulations related to privacy or data protection in the country or region where the user is located. If it is not fixed in time, it will infringe the user's rights and interests, or cause negative impact or damage to the company's operations or reputation.\nThe severity of a privacy vulnerability will be comprehensively determined based on factors such as the degree of violation of laws and regulations, the degree of damage to user rights and interests, the degree of impact on the company, and the impact scope.\n\n\n--------- \n\n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please always consider the attack scenario and exploitability, as well as the security impact of the vulnerability. For vulnerabilities that are difficult to exploit and have low impact, we may ignore this submission. The following types of issues will not be accepted and are considered beyond the scope of our bug bounty program.\n\n**For Web**\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**For Mobile**\n**Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n** Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n\n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not! If the ignored vulnerability is later fixed, it is possible that the vulnerability has already been discovered internally and is being fixed, or that the vulnerability no longer appears during the change of the product itself, rather than Xiaomi ignoring the report and fixing it based on the report information.*\n\n--------- \n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-26T03:52:47.932Z"},{"id":3771665,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules \u0026 Code of Conduct\n* Disclosure Policy\n* Safe Harbour\n* Response Time\n* General Assessment Rules\n* Detailed Rules and Reward Scheme\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n    * Privacy Vulnerabilities \n* Out of scope Vulnerabilities\n* FAQ\n\n----------------\n \n# Ground Rules \u0026 Code of Conduct\n* The security of our products is vital to us, and we constantly strive to guarantee our users' security. Xiaomi hopes to provide solid and comprehensive security protection to our products and services by working closely with individuals, organizations, and companies around the world. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect users' privacy - Xiaomi hopes to respect our users’ privacy, and we oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg: exploiting vulnerabilities to steal user data, editing, copying, or stealing data from related system services through the intrusion into Xiaomi’s services, or maliciously disseminating vulnerabilities which may disclose users' data.\n* Cause more good than harm - You should never leave a system or users in a more dangerous state when you find any vulnerabilities. You shall not engage in activities that may degrade, damage, or destroy the information in our systems, or that may impact our users, such as Denial of Service, social engineering, or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Note: This platform is for international white hats. White hats from Mainland China must submit reports to the Xiaomi Security Center via https://sec.xiaomi.com/\n\n ------------ \n\n# Disclosure Guidelines\n* Please do not disclose or discuss any security vulnerabilities (even resolved vulnerabilities) in Xiaomi products without express consent from Xiaomi, regardless of whether the vulnerability is involved in this bug bounty program.\n* Please follow the disclosure guidelines of HackerOne. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi will send you a thanks reward.\n\nThanks for keeping Xiaomi and our users secure and safe!\n\n--------- \n\n# Response Time\nXiaomi will make a best effort to meet the following target response time for the white hats participating in our program:\n* Time to first response (from report submission) - 2 business days\n* Time to triage (from report submission) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress.\n\nPlease _do not_ send spam messages and follow-ups if our response doesn't exceed the target response time above. We appreciate your patience.\n\n ------------ \n\n# General Assessment Rules\n* Please include as much detailed information as possible in the vulnerability report, such as the steps to reproduce the vulnerability and the expected results of each step. If the information you submit is insufficient to help us verify the vulnerability, you will not be eligible for the reward.\n* If you discover a security vulnerability through the use of automated tools or scanners, please perform a manual reproduction and provide relevant details, otherwise, the vulnerability report may be ignored or receive a smaller reward than expected.\n* If multiple vulnerability reports are submitted, all caused by the same reason, these reports will only be confirmed as ONE valid submission. For example, vulnerabilities are caused by common server configurations affecting multiple products.\n* When duplicate vulnerability reports appear, we will verify them based on the order of submission time, and the first vulnerability report that meets the confirmation requirements will be rewarded.\n* For vulnerability reports involving third-party components, we only accept unknown or 0-day vulnerabilities, and only reward the first valid submission.\n* For vulnerability reports involving the cooperative manufacturers of Xiaomi, we only confirm the vulnerabilities that affect the products and services of Xiaomi and give reasonable ratings based on the actual situation.\n* We set up a \"sheriff\" service for SSRF testing. If you believe you have found an SSRF vulnerability in our production environment, please test it via https://ssrf.dun.mi.com/ssrf/hacker. Please provide the necessary information when submitting the report based on your testing results as follows -\n    *  If there is an echo display, a complete page screenshot of the echo display (including text length, and complete/partial echo) shall be provided in the report.\n    *  If there is no echo display, the content and access time of the custom field shall be provided in the report. We will verify your submitted information.\n* For the vulnerabilities related to the data leakage from cloud storage buckets, e.g. S3, KSS, FDS, etc., the following factors will be considered before confirmation -\n    *  whether the data or link should have access restricted,\n    *  if yes, the sensitivity of the data or link is exposed to the public.\n* The final assessment result of each vulnerability report depends on multiple factors, including but not limited to the severity and risk, the difficulty of being exploited, the scope of impact, and whether there are mitigation measures.\n* Xiaomi has the final decision and interpretation rights on the final assessment results, including whether a vulnerability report should be rewarded and the specific amount of the reward\n\n\n\n------------ \n\n# Detailed Rules and Bounty Scheme\n\n\n\n## WEB VULNERABILITIES\n\n**Scope \u0026 Categorization**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge business: such as virtual banking, Xiaomi Chaoshen, financial technology, and other Xiaomi cooperative investment businesses, as well as some third-party businesses, such as imilab.com, zhimi.com, zmifi.com, etc., there are also some operation and maintenance monitoring, test pages, testing environment, and open source systems that lack access rights (according to the name to determine whether the suspected Xiaomi-related business needs internal evaluation to confirm whether it has actual impact on Xiaomi);\n\n*Please note that the above list may be updated due to business development at any time.*\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $900~$2000 | $400~$800 | $70~$110 | No Reward |\n| General Business   | $400~$800  | $150~$300 | $20~$60 | No Reward |\n| Edge Business      | $100~$200   | $30~$50 | No Reward | No Reward |\n\n*Please note that vulnerabilities with low severity will be triaged and receive reputation points accordingly, but will not be eligible for bounties.*\n\n**Examples of CRITICAL vulnerabilities**\n* Direct access to core system permissions can directly harm vulnerabilities in the intranet, including but not limited to command execution, remote overflow, and other vulnerabilities;\n* Vulnerabilities that can obtain a large amount of Xiaomi user core data or involve trade secret contracts include but are not limited to DB injection of core SQL ;\n* Payment-related vulnerabilities include but are not limited to serious logic errors, vulnerabilities that can obtain a large number of benefits and cause losses to companies and users;\n* Vulnerabilities that endanger the Xiaomi account system: If there is no interaction, any Xiaomi account login can obtain detailed user information, log in to Xiaomi Cloud to control mobile phones, user payment, and other permissions\n \n\n \n**Examples of HIGH vulnerabilities**\n* Vulnerabilities that can obtain sensitive user information, including but not limited to SQL injection from ordinary sites;\n* The logical vulnerabilities of individual activities and businesses, such as those that can obtain higher benefits, such as points and red packets;\n* Weak password or authentication information bypasses into the background, and there are actual permissions or sensitive information code leaks in the business, which can actually operate an online business and cause greater harm.\n* Can SSRF intranet, support a variety of protocols, can detect vulnerabilities in intranet services (SSRF vulnerability verification method see the points for attention in the scoring rules);\n* Vulnerabilities in specific scenarios or through some user interaction to log in to individual Xiaomi accounts and have actual user operation permissions;\n* Access to sensitive information such as core cookies or storage xss\n\n\n \n**Examples of MEDIUM vulnerabilities**\n*  General user information disclosure;\n*  Vulnerabilities that require interaction to affect users, including but not limited to stored XSS, CSRF for important sensitive operations;\n*  Destructive ultra vires, such as editing, deleting comments, changing function attributes, etc.\n*  File inclusion, directory traversal, and vulnerabilities that can view some sensitive information;\n*  Code leaks, vulnerabilities that have sensitive information but have not been successfully exploited;\n*  Can be SSRF intranet, no echo, or partial echo but failed to obtain information or service permissions vulnerability (SSRF vulnerability verification method see the scoring rules note);\n*  Vulnerabilities in Github that disclose employee email account passwords, online server account passwords, and other file uploads can only cause phishing, (important business) storage XSS vulnerabilities that are not limited by browser security policies Domxss requires strong interaction, multi-step interaction (two steps or more) to have a greater impact on users;\n*  The domain name can be hijacked arbitrarily by an attacker\n\n\n\n**Examples of LOW vulnerabilities**\n* Vulnerabilities that can obtain user information under certain circumstances, including but not limited to reflective XSS, Csrf , temporary file traversal, Url jump, SMS bombing minor information disclosure;\n* Including but not limited to debugging information, Phpinfo, SVN file disclosure, GitHub employee intranet survival test server account password and other machine log files with certain sensitive information;\n* Confirmed as a vulnerability, but there are more difficult vulnerabilities;\n* Denial of service class attacks caused by application layer defects;\n\n\n------------ \n\n## MOBILE VULNERABILITIES\n### Scope \u0026 Categorization\n* Important businesses: Latest version of Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones, MIUI vulnerabilities\n* General businesses: Single-issue apps, non-pre-installed but downloadable Xiaomi mobile apps\n* Edge businesses: Special Edition Business APP\n\n* Please note that the above list may be updated due to business development at any time.*\n\n \n### Bounty Scheme and Examples\n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $3500~$115000 | $800~$1600 | $200~$600 | $50~$100 |\n| General Business   | $700~$3000  | $400~$700 | $100~$200 | $10 |\n| Edge Business      | $300~$700   | $100~$150 | $10  | $5 |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Bypass the Secure Boot\n* Launch a permanent denial of service attack remotely, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Obtain ROOT permissions\n* Remote execution of arbitrary code in a privileged process\n* Execute arbitrary code in TEE\n* Unauthorized access to TEE-protected data (only fingerprints, faces and other data that can cause user property damage are rated as serious)\n \n\n **Examples of HIGH vulnerabilities**\n* Remotely obtain user-related sensitive information (photos, address books, audio, etc.)\n* Remotely execute arbitrary code in order to application processes\n* Remote access to protected data (data accessed by privileged processes only)\n* Local execution of arbitrary code in privileged applications, TCB, or ICE\n* System-level lock screen bypass (needs to test the latest development version and be universally reproducible)\n* Launch a permanent denial of service attack locally, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Remotely read arbitrary data in the victim APP sandbox\n* Remotely turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n* Bypassing device protection functions (e.g. mobile phone retrieval)\n* Modify security settings locally without user interaction\n* Obtain user-sensitive information locally\n \n\n**Examples of MEDIUM vulnerabilities**\n* Remotely launch a temporary denial of service attack, which can cause the system to hang or the device to restart\n*Logic vulnerabilities that can be used to deceive users\n* Locally read arbitrary data from the victim APP sandbox\n* Bypass APP lock screen bypass\n* Locally Obtain sensitive user information (for example: mobile phone number) without permission\n* Locally execute arbitrary code in ord application processes\n* Locally turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n\n \n\n\n**Examples of LOW vulnerabilities** \n* Vulnerabilities that require multiple (more than two) user interactions to trigger\n* Hijacking vulnerability in APP upgrade function\n* Requires physical contact. In some scenarios, information security-related vulnerabilities will only occur with the user cooperation\n* Obtain non-user-related sensitive information\n* Launch a temporary denial of service attack remotely, causing the application to crash and restart\n* Execute arbitrary code in restricted processes through local\n\n\n### Terminology Explanation\n**Remote**: refers to exploiting vulnerabilities to carry out attacks without installing applications or actually touching the device, including web browsing, reading SMS and MMS messages, sending and receiving emails, file downloads, and wireless network communications (excluding short-range communications with a communication distance less than 10 cm) ) and other methods.\n**Local**: Refers to exploiting vulnerabilities to carry out attacks that require the installation of applications on the victim system, or require physical contact with the device and short-range communication with a communication distance of less than 10 centimeters.\n**Restricted process**: A process that is subject to stricter permission constraints than ordinary application processes, or that runs in a highly restricted SElinux (or SEAndroid) domain.\n**Ordinary application process**: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application process or a built-in application process without system-level permissions.\n**Privileged process**: refers to applications or processes running in the system_app domain of SELinux (or SEAndroid), including processes running with system-level permissions and processes with root permissions.\n**TCB**: TCB is the abbreviation of Trusted Computing Base, which refers to the overall protection device in the computer, including hardware, firmware, software and the combination responsible for executing security policies. It establishes a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to part of the kernel and drivers, or user services equivalent to the kernel, such as init, vold, etc.\n**TEE**: TEE is the abbreviation of Trusted Execution Environment, which coexists with the Android system on the device. It is mainly used to provide Android with an operating environment for trusted computing, trusted storage , and other security services.\n**ICE**: ICE is the abbreviation of Independent Computing Environment, which refers to a combination of relatively focused functional services and an independent computing unit, firmware program, and simple OS, such as a baseband Modem.\n \n ------------ \n\n## HARDWARE VULNERABILITIES\n### Scope \u0026 Categorization\n* Xiaomi and Mijia brand hardware \u0026 IoT products. \n* For hardware \u0026 IoT products not using Xiaomi and Mijia brand, please submit the vulnerability by selecting “Other hardware assets”. \n* Important businesses: Routers, Cameras, TV,and other intelligent hardware related to user privacy, personal safety, and property security.\n* General businesses: Devices that do not store user information and do not pose significant  risks to users ,like Smart bulb. etc.\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $2000~$9000 | $800~$2000 | $200~$600 | $50~$100 |\n| General Business   | $500~$1200  | $400~$700 | $80~$150 | $10-$50 |\n\n \n **Examples of Critical vulnerabilities**\n* Vulnerabilities that could cause significant financial loss to users\n* Universal RCE  targeting different device models\n* Remotely render a device permanently inoperable\n\n **Examples of HIGH vulnerabilities**\n* Non-interactive command execution in LAN environment\n* Vulnerabilities that can acquire large amounts of detailed sensitive user information within WAN environment\n\n **Examples of MEDIUM vulnerabilities**\n* Interactive or authorized command execution in LAN environment\n* Denial-of-service (not including traffic and performance attacks)   in  WAN environment\n \n\n **Examples of LOW vulnerabilities**\n* Insecure Configuration\n* Implant malicious code or tamper with firmware into the target device physically but without dismantling the device\n* Denial-of-service (not including traffic and performance attacks) impact on the device via  LAN\n\n--------- \n\n\n## PRIVACY VULNERABILITIES\n\n**Scope**\nMobile apps preinstalled on the smartphones of Xiaomi.\n\n| App Name | Package Name |\n| :--- | :--- |\n| App Vault | com.mi.android.globalminusscreen |\n| Backup \u0026 Reset | com.miui.backup |\n| Mi Browser | com.android.browser |\n| Downloads | com.android.providers.downloads.ui |\n| File Manager | com.mi.android.globalFileexplorer |\n| Gallery | com.miui.gallery |\n| Messaging | com.android.mms.service |\n| Mi Video | com.miui.videoplayer |\n| Mi Music | com.miui.player |\n| Security Center | com.miui.securitycenter |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Fashion Gallery | com.miui.android.fashiongallery |\n| Mi Drop / ShareMe | com.xiaomi.midrop |\n| Mi Cloud | com.miui.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Recorder | com.miui.screenrecorder |\n| Services \u0026 Feedback | com.miui.bugreport |\n| System Launcher | com.miui.home |\n\n** Bounties **\n\n|  Severity  | Bounty  | \n| -------------- | ------------------ |\n| High | $500-$200 |\n| Medium | $200-$100 |\n| Low | $100-$50 |\n\nPrivacy vulnerabilities refer to violations of laws and regulations related to privacy or data protection in the country or region where the user is located. If it is not fixed in time, it will infringe the user's rights and interests, or cause negative impact or damage to the company's operations or reputation.\nThe severity of a privacy vulnerability will be comprehensively determined based on factors such as the degree of violation of laws and regulations, the degree of damage to user rights and interests, the degree of impact on the company, and the impact scope.\n\n\n--------- \n\n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please always consider the attack scenario and exploitability, as well as the security impact of the vulnerability. For vulnerabilities that are difficult to exploit and have low impact, we may ignore this submission. The following types of issues will not be accepted and are considered beyond the scope of our bug bounty program.\n\n**For Web**\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**For Mobile**\n**Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n** Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n\n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not! If the ignored vulnerability is later fixed, it is possible that the vulnerability has already been discovered internally and is being fixed, or that the vulnerability no longer appears during the change of the product itself, rather than Xiaomi ignoring the report and fixing it based on the report information.*\n\n--------- \n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-25T09:11:40.342Z"},{"id":3725532,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Disclosure Policy\n* Safe Harbour\n* Response Time\n* General Assessment Rules\n* Detailed Rules and Reward Scheme\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n    * Privacy Vulnerabilities \n* Out of scope Vulnerabilities\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is vital to us, and we constantly strive to guarantee our users' security. Xiaomi hopes to provide solid and comprehensive security protection to our products and services by working closely with individuals, organizations, and companies around the world. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect users' privacy - Xiaomi hopes to respect our users’ privacy, and we oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg: exploiting vulnerabilities to steal user data, editing, copying, or stealing data from related system services through the intrusion into Xiaomi’s services, or maliciously disseminating vulnerabilities which may disclose users' data.\n* Cause more good than harm - You should never leave a system or users in a more dangerous state when you find any vulnerabilities. You shall not engage in activities that may degrade, damage, or destroy the information in our systems, or that may impact our users, such as Denial of Service, social engineering, or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is for international white hats. For the white hats from China Mainland, please submit the report to the Xiaomi Security Center via https://sec.xiaomi.com/\n\n ------------ \n\n# Disclosure Guidelines\n* Please do not disclose or discuss any security vulnerabilities (even resolved vulnerabilities) in Xiaomi products without express consent from Xiaomi, regardless of whether the vulnerability is involved in this bug bounty program.\n* Please follow the disclosure guidelines of HackerOne. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi will send you a thanks reward.\n\nThanks for keeping Xiaomi and our users secure and safe!\n\n--------- \n\n# Response Time\nXiaomi will make a best effort to meet the following target response time for the white hats participating in our program:\n* Time to first response (from report submission) - 2 business days\n* Time to triage (from report submission) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress.\n\nPlease _do not_ send spam messages and follow-ups if our response doesn't exceed the target response time above. We appreciate your patience.\n\n ------------ \n\n# General Assessment Rules\n* Please include as much detailed information as possible in the vulnerability report, such as the steps to reproduce the vulnerability and the expected results of each step. If the information you submit is insufficient to help us verify the vulnerability, you will not be eligible for the reward.\n* If you discover a security vulnerability through the use of automated tools or scanners, please perform a manual reproduction and provide relevant details, otherwise, the vulnerability report may be ignored or receive a smaller reward than expected.\n* If multiple vulnerability reports are submitted, all caused by the same reason, these reports will only be confirmed as ONE valid submission. For example, vulnerabilities are caused by common server configurations affecting multiple products.\n* When duplicate vulnerability reports appear, we will verify them based on the order of submission time, and the first vulnerability report that meets the confirmation requirements will be rewarded.\n* For vulnerability reports involving third-party components, we only accept unknown or 0-day vulnerabilities, and only reward the first valid submission.\n* For vulnerability reports involving the cooperative manufacturers of Xiaomi, we only confirm the vulnerabilities that affect the products and services of Xiaomi and give reasonable ratings based on the actual situation.\n* We set up a \"sheriff\" service for SSRF testing. If you believe you have found an SSRF vulnerability in our production environment, please test it via https://ssrf.dun.mi.com/ssrf/hacker. Please provide the necessary information when submitting the report based on your testing results as follows -\n    *  If there is an echo display, a complete page screenshot of the echo display (including text length, and complete/partial echo) shall be provided in the report.\n    *  If there is no echo display, the content and access time of the custom field shall be provided in the report. We will verify your submitted information.\n* For the vulnerabilities related to the data leakage from cloud storage buckets, e.g. S3, KSS, FDS, etc., the following factors will be considered before confirmation -\n    *  whether the data or link should have access restricted,\n    *  if yes, the sensitivity of the data or link is exposed to the public.\n* The final assessment result of each vulnerability report depends on multiple factors, including but not limited to the severity and risk, the difficulty of being exploited, the scope of impact, and whether there are mitigation measures.\n* Xiaomi has the final decision and interpretation rights on the final assessment results, including whether a vulnerability report should be rewarded and the specific amount of the reward\n\n\n\n------------ \n\n# Detailed Rules and Bounty Scheme\n\n\n\n## WEB VULNERABILITIES\n\n**Scope \u0026 Categorization**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge business: such as virtual banking, Xiaomi Chaoshen, financial technology, and other Xiaomi cooperative investment businesses, as well as some third-party businesses, such as imilab.com, zhimi.com, zmifi.com, etc., there are also some operation and maintenance monitoring, test pages, testing environment, and open source systems that lack access rights (according to the name to determine whether the suspected Xiaomi-related business needs internal evaluation to confirm whether it has actual impact on Xiaomi);\n\n*Please note that the above list may be updated due to business development at any time.*\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $900~$2000 | $400~$800 | $70~$110 | No Reward |\n| General Business   | $400~$800  | $150~$300 | $20~$60 | No Reward |\n| Edge Business      | $100~$200   | $30~$50 | No Reward | No Reward |\n\n*Please note that vulnerabilities with low severity will be triaged and receive reputation points accordingly, but will not be eligible for bounties.*\n\n**Examples of CRITICAL vulnerabilities**\n* Direct access to core system permissions can directly harm vulnerabilities in the intranet, including but not limited to command execution, remote overflow, and other vulnerabilities;\n* Vulnerabilities that can obtain a large amount of Xiaomi user core data or involve trade secret contracts include but are not limited to DB injection of core SQL ;\n* Payment-related vulnerabilities include but are not limited to serious logic errors, vulnerabilities that can obtain a large number of benefits and cause losses to companies and users;\n* Vulnerabilities that endanger the Xiaomi account system: If there is no interaction, any Xiaomi account login can obtain detailed user information, log in to Xiaomi Cloud to control mobile phones, user payment, and other permissions\n \n\n \n**Examples of HIGH vulnerabilities**\n* Vulnerabilities that can obtain sensitive user information, including but not limited to SQL injection from ordinary sites;\n* The logical vulnerabilities of individual activities and businesses, such as those that can obtain higher benefits, such as points and red packets;\n* Weak password or authentication information bypasses into the background, and there are actual permissions or sensitive information code leaks in the business, which can actually operate an online business and cause greater harm.\n* Can SSRF intranet, support a variety of protocols, can detect vulnerabilities in intranet services (SSRF vulnerability verification method see the points for attention in the scoring rules);\n* Vulnerabilities in specific scenarios or through some user interaction to log in to individual Xiaomi accounts and have actual user operation permissions;\n* Access to sensitive information such as core cookies or storage xss\n\n\n \n**Examples of MEDIUM vulnerabilities**\n*  General user information disclosure;\n*  Vulnerabilities that require interaction to affect users, including but not limited to stored XSS, CSRF for important sensitive operations;\n*  Destructive ultra vires, such as editing, deleting comments, changing function attributes, etc.\n*  File inclusion, directory traversal, and vulnerabilities that can view some sensitive information;\n*  Code leaks, vulnerabilities that have sensitive information but have not been successfully exploited;\n*  Can be SSRF intranet, no echo, or partial echo but failed to obtain information or service permissions vulnerability (SSRF vulnerability verification method see the scoring rules note);\n*  Vulnerabilities in Github that disclose employee email account passwords, online server account passwords, and other file uploads can only cause phishing, (important business) storage XSS vulnerabilities that are not limited by browser security policies Domxss requires strong interaction, multi-step interaction (two steps or more) to have a greater impact on users;\n*  The domain name can be hijacked arbitrarily by an attacker\n\n\n\n**Examples of LOW vulnerabilities**\n* Vulnerabilities that can obtain user information under certain circumstances, including but not limited to reflective XSS, Csrf , temporary file traversal, Url jump, SMS bombing minor information disclosure;\n* Including but not limited to debugging information, Phpinfo, SVN file disclosure, GitHub employee intranet survival test server account password and other machine log files with certain sensitive information;\n* Confirmed as a vulnerability, but there are more difficult vulnerabilities;\n* Denial of service class attacks caused by application layer defects;\n\n\n------------ \n\n## MOBILE VULNERABILITIES\n### Scope \u0026 Categorization\n* Important businesses: Latest version of Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones, MIUI vulnerabilities\n* General businesses: Single-issue apps, non-pre-installed but downloadable Xiaomi mobile apps\n* Edge businesses: Special Edition Business APP\n\n* Please note that the above list may be updated due to business development at any time.*\n\n \n### Bounty Scheme and Examples\n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $3500~$115000 | $800~$1600 | $200~$600 | $50~$100 |\n| General Business   | $700~$3000  | $400~$700 | $100~$200 | $10 |\n| Edge Business      | $300~$700   | $100~$150 | $10  | $5 |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Bypass the Secure Boot\n* Launch a permanent denial of service attack remotely, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Obtain ROOT permissions\n* Remote execution of arbitrary code in a privileged process\n* Execute arbitrary code in TEE\n* Unauthorized access to TEE-protected data (only fingerprints, faces and other data that can cause user property damage are rated as serious)\n \n\n **Examples of HIGH vulnerabilities**\n* Remotely obtain user-related sensitive information (photos, address books, audio, etc.)\n* Remotely execute arbitrary code in order to application processes\n* Remote access to protected data (data accessed by privileged processes only)\n* Local execution of arbitrary code in privileged applications, TCB, or ICE\n* System-level lock screen bypass (needs to test the latest development version and be universally reproducible)\n* Launch a permanent denial of service attack locally, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Remotely read arbitrary data in the victim APP sandbox\n* Remotely turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n* Bypassing device protection functions (e.g. mobile phone retrieval)\n* Modify security settings locally without user interaction\n* Obtain user-sensitive information locally\n \n\n**Examples of MEDIUM vulnerabilities**\n* Remotely launch a temporary denial of service attack, which can cause the system to hang or the device to restart\n*Logic vulnerabilities that can be used to deceive users\n* Locally read arbitrary data from the victim APP sandbox\n* Bypass APP lock screen bypass\n* Locally Obtain sensitive user information (for example: mobile phone number) without permission\n* Locally execute arbitrary code in ord application processes\n* Locally turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n\n \n\n\n**Examples of LOW vulnerabilities** \n* Vulnerabilities that require multiple (more than two) user interactions to trigger\n* Hijacking vulnerability in APP upgrade function\n* Requires physical contact. In some scenarios, information security-related vulnerabilities will only occur with the user cooperation\n* Obtain non-user-related sensitive information\n* Launch a temporary denial of service attack remotely, causing the application to crash and restart\n* Execute arbitrary code in restricted processes through local\n\n\n### Terminology Explanation\n**Remote**: refers to exploiting vulnerabilities to carry out attacks without installing applications or actually touching the device, including web browsing, reading SMS and MMS messages, sending and receiving emails, file downloads, and wireless network communications (excluding short-range communications with a communication distance less than 10 cm) ) and other methods.\n**Local**: Refers to exploiting vulnerabilities to carry out attacks that require the installation of applications on the victim system, or require physical contact with the device and short-range communication with a communication distance of less than 10 centimeters.\n**Restricted process**: A process that is subject to stricter permission constraints than ordinary application processes, or that runs in a highly restricted SElinux (or SEAndroid) domain.\n**Ordinary application process**: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application process or a built-in application process without system-level permissions.\n**Privileged process**: refers to applications or processes running in the system_app domain of SELinux (or SEAndroid), including processes running with system-level permissions and processes with root permissions.\n**TCB**: TCB is the abbreviation of Trusted Computing Base, which refers to the overall protection device in the computer, including hardware, firmware, software and the combination responsible for executing security policies. It establishes a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to part of the kernel and drivers, or user services equivalent to the kernel, such as init, vold, etc.\n**TEE**: TEE is the abbreviation of Trusted Execution Environment, which coexists with the Android system on the device. It is mainly used to provide Android with an operating environment for trusted computing, trusted storage , and other security services.\n**ICE**: ICE is the abbreviation of Independent Computing Environment, which refers to a combination of relatively focused functional services and an independent computing unit, firmware program, and simple OS, such as a baseband Modem.\n \n ------------ \n\n## HARDWARE VULNERABILITIES\n### Scope \u0026 Categorization\n* Xiaomi and Mijia brand hardware \u0026 IoT products. \n* For hardware \u0026 IoT products not using Xiaomi and Mijia brand, please submit the vulnerability by selecting “Other hardware assets”. \n* Important businesses: Routers, Cameras, TV,and other intelligent hardware related to user privacy, personal safety, and property security.\n* General businesses: Devices that do not store user information and do not pose significant  risks to users ,like Smart bulb. etc.\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $2000~$9000 | $800~$2000 | $200~$600 | $50~$100 |\n| General Business   | $500~$1200  | $400~$700 | $80~$150 | $10-$50 |\n\n \n **Examples of Critical vulnerabilities**\n* Vulnerabilities that could cause significant financial loss to users\n* Universal RCE  targeting different device models\n* Remotely render a device permanently inoperable\n\n **Examples of HIGH vulnerabilities**\n* Non-interactive command execution in LAN environment\n* Vulnerabilities that can acquire large amounts of detailed sensitive user information within WAN environment\n\n **Examples of MEDIUM vulnerabilities**\n* Interactive or authorized command execution in LAN environment\n* Denial-of-service (not including traffic and performance attacks)   in  WAN environment\n \n\n **Examples of LOW vulnerabilities**\n* Insecure Configuration\n* Implant malicious code or tamper with firmware into the target device physically but without dismantling the device\n* Denial-of-service (not including traffic and performance attacks) impact on the device via  LAN\n\n--------- \n\n\n## PRIVACY VULNERABILITIES\n\n**Scope**\nMobile apps preinstalled on the smartphones of Xiaomi.\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  Severity  | Bounty  | \n| -------------- | ------------------ |\n| High | $500-$200 |\n| Medium | $200-$100 |\n| Low | $100-$50 |\n\nPrivacy vulnerabilities refer to violations of laws and regulations related to privacy or data protection in the country or region where the user is located. If it is not fixed in time, it will infringe the user's rights and interests, or cause negative impact or damage to the company's operations or reputation.\nThe severity of a privacy vulnerability will be comprehensively determined based on factors such as the degree of violation of laws and regulations, the degree of damage to user rights and interests, the degree of impact on the company, and the impact scope.\n\n\n--------- \n\n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please always consider the attack scenario and exploitability, as well as the security impact of the vulnerability. For vulnerabilities that are difficult to exploit and have low impact, we may ignore this submission. The following types of issues will not be accepted and are considered beyond the scope of our bug bounty program.\n\n**For Web**\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**For Mobile**\n**Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n** Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n\n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not! If the ignored vulnerability is later fixed, it is possible that the vulnerability has already been discovered internally and is being fixed, or that the vulnerability no longer appears during the change of the product itself, rather than Xiaomi ignoring the report and fixing it based on the report information.*\n\n--------- \n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-10T08:55:57.204Z"},{"id":3725529,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Disclosure Policy\n* Safe Harbour\n* Response Time\n* General Assessment Rules\n* Detailed Rules and Reward Scheme\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n    * Privacy Vulnerabilities \n* Out of scope Vulnerabilities\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is vital to us, and we constantly strive to guarantee our users' security. Xiaomi hopes to provide solid and comprehensive security protection to our products and services by working closely with individuals, organizations, and companies around the world. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect users' privacy - Xiaomi hopes to respect our users’ privacy, and we oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg: exploiting vulnerabilities to steal user data, editing, copying, or stealing data from related system services through the intrusion into Xiaomi’s services, or maliciously disseminating vulnerabilities which may disclose users' data.\n* Cause more good than harm - You should never leave a system or users in a more dangerous state when you find any vulnerabilities. You shall not engage in activities that may degrade, damage, or destroy the information in our systems, or that may impact our users, such as Denial of Service, social engineering, or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is for international white hats. For the white hats from China Mainland, please submit the report to the Xiaomi Security Center via https://sec.xiaomi.com/\n\n ------------ \n\n# Disclosure Guidelines\n* Please do not disclose or discuss any security vulnerabilities (even resolved vulnerabilities) in Xiaomi products without express consent from Xiaomi, regardless of whether the vulnerability is involved in this bug bounty program.\n* Please follow the disclosure guidelines of HackerOne. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi will send you a thanks reward.\n\nThanks for keeping Xiaomi and our users secure and safe!\n\n--------- \n\n# Response Time\nXiaomi will make a best effort to meet the following target response time for the white hats participating in our program:\n* Time to first response (from report submission) - 2 business days\n* Time to triage (from report submission) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress.\n\nPlease _do not_ send spam messages and follow-ups if our response doesn't exceed the target response time above. We appreciate your patience.\n\n ------------ \n\n# General Assessment Rules\n* Please include as much detailed information as possible in the vulnerability report, such as the steps to reproduce the vulnerability and the expected results of each step. If the information you submit is insufficient to help us verify the vulnerability, you will not be eligible for the reward.\n* If you discover a security vulnerability through the use of automated tools or scanners, please perform a manual reproduction and provide relevant details, otherwise, the vulnerability report may be ignored or receive a smaller reward than expected.\n* If multiple vulnerability reports are submitted, all caused by the same reason, these reports will only be confirmed as ONE valid submission. For example, vulnerabilities are caused by common server configurations affecting multiple products.\n* When duplicate vulnerability reports appear, we will verify them based on the order of submission time, and the first vulnerability report that meets the confirmation requirements will be rewarded.\n* For vulnerability reports involving third-party components, we only accept unknown or 0-day vulnerabilities, and only reward the first valid submission.\n* For vulnerability reports involving the cooperative manufacturers of Xiaomi, we only confirm the vulnerabilities that affect the products and services of Xiaomi and give reasonable ratings based on the actual situation.\n* We set up a \"sheriff\" service for SSRF testing. If you believe you have found an SSRF vulnerability in our production environment, please test it via https://ssrf.dun.mi.com/ssrf/hacker. Please provide the necessary information when submitting the report based on your testing results as follows -\n    *  If there is an echo display, a complete page screenshot of the echo display (including text length, and complete/partial echo) shall be provided in the report.\n    *  If there is no echo display, the content and access time of the custom field shall be provided in the report. We will verify your submitted information.\n* For the vulnerabilities related to the data leakage from cloud storage buckets, e.g. S3, KSS, FDS, etc., the following factors will be considered before confirmation -\n    *  whether the data or link should have access restricted,\n    *  if yes, the sensitivity of the data or link is exposed to the public.\n* The final assessment result of each vulnerability report depends on multiple factors, including but not limited to the severity and risk, the difficulty of being exploited, the scope of impact, and whether there are mitigation measures.\n* Xiaomi has the final decision and interpretation rights on the final assessment results, including whether a vulnerability report should be rewarded and the specific amount of the reward\n\n\n\n------------ \n\n# Detailed Rules and Bounty Scheme\n\n\n\n## WEB VULNERABILITIES\n\n**Scope \u0026 Categorization**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge business: such as virtual banking, Xiaomi Chaoshen, financial technology, and other Xiaomi cooperative investment businesses, as well as some third-party businesses, such as imilab.com, zhimi.com, zmifi.com, etc., there are also some operation and maintenance monitoring, test pages, testing environment, and open source systems that lack access rights (according to the name to determine whether the suspected Xiaomi-related business needs internal evaluation to confirm whether it has actual impact on Xiaomi);\n\n*Please note that the above list may be updated due to business development at any time.*\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $900~$2000 | $400~$800 | $70~$110 | No Reward |\n| General Business   | $400~$800  | $150~$300 | $20~$60 | No Reward |\n| Edge Business      | $100~$200   | $30~$50 | No Reward | No Reward |\n\n*Please note that vulnerabilities with low severity will be triaged and receive reputation points accordingly, but will not be eligible for bounties.*\n\n**Examples of CRITICAL vulnerabilities**\n* Direct access to core system permissions can directly harm vulnerabilities in the intranet, including but not limited to command execution, remote overflow, and other vulnerabilities;\n* Vulnerabilities that can obtain a large amount of Xiaomi user core data or involve trade secret contracts include but are not limited to DB injection of core SQL ;\n* Payment-related vulnerabilities include but are not limited to serious logic errors, vulnerabilities that can obtain a large number of benefits and cause losses to companies and users;\n* Vulnerabilities that endanger the Xiaomi account system: If there is no interaction, any Xiaomi account login can obtain detailed user information, log in to Xiaomi Cloud to control mobile phones, user payment, and other permissions\n \n\n \n**Examples of HIGH vulnerabilities**\n* Vulnerabilities that can obtain sensitive user information, including but not limited to SQL injection from ordinary sites;\n* The logical vulnerabilities of individual activities and businesses, such as those that can obtain higher benefits, such as points and red packets;\n* Weak password or authentication information bypasses into the background, and there are actual permissions or sensitive information code leaks in the business, which can actually operate an online business and cause greater harm.\n* Can SSRF intranet, support a variety of protocols, can detect vulnerabilities in intranet services (SSRF vulnerability verification method see the points for attention in the scoring rules);\n* Vulnerabilities in specific scenarios or through some user interaction to log in to individual Xiaomi accounts and have actual user operation permissions;\n* Access to sensitive information such as core cookies or storage xss\n\n\n \n**Examples of MEDIUM vulnerabilities**\n*  General user information disclosure;\n*  Vulnerabilities that require interaction to affect users, including but not limited to stored XSS, CSRF for important sensitive operations;\n*  Destructive ultra vires, such as editing, deleting comments, changing function attributes, etc.\n*  File inclusion, directory traversal, and vulnerabilities that can view some sensitive information;\n*  Code leaks, vulnerabilities that have sensitive information but have not been successfully exploited;\n*  Can be SSRF intranet, no echo, or partial echo but failed to obtain information or service permissions vulnerability (SSRF vulnerability verification method see the scoring rules note);\n*  Vulnerabilities in Github that disclose employee email account passwords, online server account passwords, and other file uploads can only cause phishing, (important business) storage XSS vulnerabilities that are not limited by browser security policies Domxss requires strong interaction, multi-step interaction (two steps or more) to have a greater impact on users;\n*  The domain name can be hijacked arbitrarily by an attacker\n\n\n\n**Examples of LOW vulnerabilities**\n* Vulnerabilities that can obtain user information under certain circumstances, including but not limited to reflective XSS, Csrf , temporary file traversal, Url jump, SMS bombing minor information disclosure;\n* Including but not limited to debugging information, Phpinfo, SVN file disclosure, GitHub employee intranet survival test server account password and other machine log files with certain sensitive information;\n* Confirmed as a vulnerability, but there are more difficult vulnerabilities;\n* Denial of service class attacks caused by application layer defects;\n\n\n------------ \n\n## MOBILE VULNERABILITIES\n### Scope \u0026 Categorization\n* Important businesses: Latest version of Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones, MIUI vulnerabilities\n* General businesses: Single-issue apps, non-pre-installed but downloadable Xiaomi mobile apps\n* Edge businesses: Special Edition Business APP\n\n* Please note that the above list may be updated due to business development at any time.*\n\n \n### Bounty Scheme and Examples\n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $3500~$115000 | $800~$1600 | $200~$600 | $50~$100 |\n| General Business   | $700~$3000  | $400~$700 | $100~$200 | $10 |\n| Edge Business      | $300~$700   | $100~$150 | $10  | $5 |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Bypass the Secure Boot\n* Launch a permanent denial of service attack remotely, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Obtain ROOT permissions\n* Remote execution of arbitrary code in a privileged process\n* Execute arbitrary code in TEE\n* Unauthorized access to TEE-protected data (only fingerprints, faces and other data that can cause user property damage are rated as serious)\n \n\n **Examples of HIGH vulnerabilities**\n* Remotely obtain user-related sensitive information (photos, address books, audio, etc.)\n* Remotely execute arbitrary code in order to application processes\n* Remote access to protected data (data accessed by privileged processes only)\n* Local execution of arbitrary code in privileged applications, TCB, or ICE\n* System-level lock screen bypass (needs to test the latest development version and be universally reproducible)\n* Launch a permanent denial of service attack locally, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Remotely read arbitrary data in the victim APP sandbox\n* Remotely turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n* Bypassing device protection functions (e.g. mobile phone retrieval)\n* Modify security settings locally without user interaction\n* Obtain user-sensitive information locally\n \n\n**Examples of MEDIUM vulnerabilities**\n* Remotely launch a temporary denial of service attack, which can cause the system to hang or the device to restart\n*Logic vulnerabilities that can be used to deceive users\n* Locally read arbitrary data from the victim APP sandbox\n* Bypass APP lock screen bypass\n* Locally Obtain sensitive user information (for example: mobile phone number) without permission\n* Locally execute arbitrary code in ord application processes\n* Locally turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n\n \n\n\n**Examples of LOW vulnerabilities** \n* Vulnerabilities that require multiple (more than two) user interactions to trigger\n* Hijacking vulnerability in APP upgrade function\n* Requires physical contact. In some scenarios, information security-related vulnerabilities will only occur with the user cooperation\n* Obtain non-user-related sensitive information\n* Launch a temporary denial of service attack remotely, causing the application to crash and restart\n* Execute arbitrary code in restricted processes through local\n\n\n### Terminology Explanation\n**Remote**: refers to exploiting vulnerabilities to carry out attacks without installing applications or actually touching the device, including web browsing, reading SMS and MMS messages, sending and receiving emails, file downloads, and wireless network communications (excluding short-range communications with a communication distance less than 10 cm) ) and other methods.\n**Local**: Refers to exploiting vulnerabilities to carry out attacks that require the installation of applications on the victim system, or require physical contact with the device and short-range communication with a communication distance of less than 10 centimeters.\n**Restricted process**: A process that is subject to stricter permission constraints than ordinary application processes, or that runs in a highly restricted SElinux (or SEAndroid) domain.\n**Ordinary application process**: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application process or a built-in application process without system-level permissions.\n**Privileged process**: refers to applications or processes running in the system_app domain of SELinux (or SEAndroid), including processes running with system-level permissions and processes with root permissions.\n**TCB**: TCB is the abbreviation of Trusted Computing Base, which refers to the overall protection device in the computer, including hardware, firmware, software and the combination responsible for executing security policies. It establishes a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to part of the kernel and drivers, or user services equivalent to the kernel, such as init, vold, etc.\n**TEE**: TEE is the abbreviation of Trusted Execution Environment, which coexists with the Android system on the device. It is mainly used to provide Android with an operating environment for trusted computing, trusted storage , and other security services.\n**ICE**: ICE is the abbreviation of Independent Computing Environment, which refers to a combination of relatively focused functional services and an independent computing unit, firmware program, and simple OS, such as a baseband Modem.\n \n ------------ \n\n## HARDWARE VULNERABILITIES\n### Scope \u0026 Categorization\n* Xiaomi and Mijia brand hardware \u0026 IoT products. \n* For hardware \u0026 IoT products not using Xiaomi and Mijia brand, please submit the vulnerability by selecting “Other hardware assets”. \n*Important businesses: Routers, Cameras, TV,and other intelligent hardware related to user privacy, personal safety, and property security.\n* General businesses: Devices that do not store user information and do not pose significant  risks to users ,like Smart bulb. etc.\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $2000~$9000 | $800~$2000 | $200~$600 | $50~$100 |\n| General Business   | $500~$1200  | $400~$700 | $80~$150 | $10-$50 |\n\n \n **Examples of Critical vulnerabilities**\n* Vulnerabilities that could cause significant financial loss to users\n* Universal RCE  targeting different device models\n* Remotely render a device permanently inoperable\n\n **Examples of HIGH vulnerabilities**\n* Non-interactive command execution in LAN environment\n* Vulnerabilities that can acquire large amounts of detailed sensitive user information within WAN environment\n\n **Examples of MEDIUM vulnerabilities**\n* Interactive or authorized command execution in LAN environment\n* Denial-of-service (not including traffic and performance attacks)   in  WAN environment\n \n\n **Examples of LOW vulnerabilities**\n* Insecure Configuration\n* Implant malicious code or tamper with firmware into the target device physically but without dismantling the device\n* Denial-of-service (not including traffic and performance attacks) impact on the device via  LAN\n\n--------- \n\n\n## PRIVACY VULNERABILITIES\n\n**Scope**\nMobile apps preinstalled on the smartphones of Xiaomi.\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  Severity  | Bounty  | \n| -------------- | ------------------ |\n| High | $500-$200 |\n| Medium | $200-$100 |\n| Low | $100-$50 |\n\nPrivacy vulnerabilities refer to violations of laws and regulations related to privacy or data protection in the country or region where the user is located. If it is not fixed in time, it will infringe the user's rights and interests, or cause negative impact or damage to the company's operations or reputation.\nThe severity of a privacy vulnerability will be comprehensively determined based on factors such as the degree of violation of laws and regulations, the degree of damage to user rights and interests, the degree of impact on the company, and the impact scope.\n\n\n--------- \n\n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please always consider the attack scenario and exploitability, as well as the security impact of the vulnerability. For vulnerabilities that are difficult to exploit and have low impact, we may ignore this submission. The following types of issues will not be accepted and are considered beyond the scope of our bug bounty program.\n\n**For Web**\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**For Mobile**\n**Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n** Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n\n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not! If the ignored vulnerability is later fixed, it is possible that the vulnerability has already been discovered internally and is being fixed, or that the vulnerability no longer appears during the change of the product itself, rather than Xiaomi ignoring the report and fixing it based on the report information.*\n\n--------- \n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-10T08:47:33.568Z"},{"id":3725030,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Disclosure Policy\n* Safe Harbour\n* Response Time\n* General Assessment Rules\n* Detailed Rules and Reward Scheme\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n    * Privacy Vulnerabilities \n* Out of scope Vulnerabilities\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is vital to us, and we constantly strive to guarantee our users' security. Xiaomi hopes to provide solid and comprehensive security protection to our products and services by working closely with individuals, organizations, and companies around the world. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect users' privacy - Xiaomi hopes to respect our users’ privacy, and we oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg: exploiting vulnerabilities to steal user data, editing, copying, or stealing data from related system services through the intrusion into Xiaomi’s services, or maliciously disseminating vulnerabilities which may disclose users' data.\n* Cause more good than harm - You should never leave a system or users in a more dangerous state when you find any vulnerabilities. You shall not engage in activities that may degrade, damage, or destroy the information in our systems, or that may impact our users, such as Denial of Service, social engineering, or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is for international white hats. For the white hats from China Mainland, please submit the report to the Xiaomi Security Center via https://sec.xiaomi.com/\n\n ------------ \n\n# Disclosure Guidelines\n* Please do not disclose or discuss any security vulnerabilities (even resolved vulnerabilities) in Xiaomi products without express consent from Xiaomi, regardless of whether the vulnerability is involved in this bug bounty program.\n* Please follow the disclosure guidelines of HackerOne. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi will send you a thanks reward.\n\nThanks for keeping Xiaomi and our users secure and safe!\n\n--------- \n\n# Response Time\nXiaomi will make a best effort to meet the following target response time for the white hats participating in our program:\n* Time to first response (from report submission) - 2 business days\n* Time to triage (from report submission) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress.\n\nPlease _do not_ send spam messages and follow-ups if our response doesn't exceed the target response time above. We appreciate your patience.\n\n ------------ \n\n# General Assessment Rules\n* Please include as much detailed information as possible in the vulnerability report, such as the steps to reproduce the vulnerability and the expected results of each step. If the information you submit is insufficient to help us verify the vulnerability, you will not be eligible for the reward.\n* If you discover a security vulnerability through the use of automated tools or scanners, please perform a manual reproduction and provide relevant details, otherwise, the vulnerability report may be ignored or receive a smaller reward than expected.\n* If multiple vulnerability reports are submitted, all caused by the same reason, these reports will only be confirmed as ONE valid submission. For example, vulnerabilities are caused by common server configurations affecting multiple products.\n* When duplicate vulnerability reports appear, we will verify them based on the order of submission time, and the first vulnerability report that meets the confirmation requirements will be rewarded.\n* For vulnerability reports involving third-party components, we only accept unknown or 0-day vulnerabilities, and only reward the first valid submission.\n* For vulnerability reports involving the cooperative manufacturers of Xiaomi, we only confirm the vulnerabilities that affect the products and services of Xiaomi and give reasonable ratings based on the actual situation.\n* We set up a \"sheriff\" service for SSRF testing. If you believe you have found an SSRF vulnerability in our production environment, please test it via https://ssrf.dun.mi.com/ssrf/hacker. Please provide the necessary information when submitting the report based on your testing results as follows -\n    *  If there is an echo display, a complete page screenshot of the echo display (including text length, and complete/partial echo) shall be provided in the report.\n    *  If there is no echo display, the content and access time of the custom field shall be provided in the report. We will verify your submitted information.\n* For the vulnerabilities related to the data leakage from cloud storage buckets, e.g. S3, KSS, FDS, etc., the following factors will be considered before confirmation -\n    *  whether the data or link should have access restricted,\n    *  if yes, the sensitivity of the data or link is exposed to the public.\n* The final assessment result of each vulnerability report depends on multiple factors, including but not limited to the severity and risk, the difficulty of being exploited, the scope of impact, and whether there are mitigation measures.\n* Xiaomi has the final decision and interpretation rights on the final assessment results, including whether a vulnerability report should be rewarded and the specific amount of the reward\n\n\n\n------------ \n\n# Detailed Rules and Bounty Scheme\n\n\n\n## WEB VULNERABILITIES\n\n**Scope \u0026 Categorization**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge business: such as virtual banking, Xiaomi Chaoshen, financial technology, and other Xiaomi cooperative investment businesses, as well as some third-party businesses, such as imilab.com, zhimi.com, zmifi.com, etc., there are also some operation and maintenance monitoring, test pages, testing environment, and open source systems that lack access rights (according to the name to determine whether the suspected Xiaomi-related business needs internal evaluation to confirm whether it has actual impact on Xiaomi);\n\n*Please note that the above list may be updated due to business development at any time.*\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $900~$2000 | $400~$800 | $70~$110 | No Reward |\n| General Business   | $400~$800  | $150~$300 | $20~$60 | No Reward |\n| Edge Business      | $100~$200   | $30~$50 | No Reward | No Reward |\n\n*Please note that vulnerabilities with low severity will be triaged and receive reputation points accordingly, but will not be eligible for bounties.*\n\n**Examples of CRITICAL vulnerabilities**\n* Direct access to core system permissions can directly harm vulnerabilities in the intranet, including but not limited to command execution, remote overflow, and other vulnerabilities;\n* Vulnerabilities that can obtain a large amount of Xiaomi user core data or involve trade secret contracts include but are not limited to DB injection of core SQL ;\n* Payment-related vulnerabilities include but are not limited to serious logic errors, vulnerabilities that can obtain a large number of benefits and cause losses to companies and users;\n* Vulnerabilities that endanger the Xiaomi account system: If there is no interaction, any Xiaomi account login can obtain detailed user information, log in to Xiaomi Cloud to control mobile phones, user payment, and other permissions\n \n\n \n**Examples of HIGH vulnerabilities**\n* Vulnerabilities that can obtain sensitive user information, including but not limited to SQL injection from ordinary sites;\n* The logical vulnerabilities of individual activities and businesses, such as those that can obtain higher benefits, such as points and red packets;\n* Weak password or authentication information bypasses into the background, and there are actual permissions or sensitive information code leaks in the business, which can actually operate an online business and cause greater harm.\n* Can SSRF intranet, support a variety of protocols, can detect vulnerabilities in intranet services (SSRF vulnerability verification method see the points for attention in the scoring rules);\n* Vulnerabilities in specific scenarios or through some user interaction to log in to individual Xiaomi accounts and have actual user operation permissions;\n* Access to sensitive information such as core cookies or storage xss\n\n\n \n**Examples of MEDIUM vulnerabilities**\n*  General user information disclosure;\n*  Vulnerabilities that require interaction to affect users, including but not limited to stored XSS, CSRF for important sensitive operations;\n*  Destructive ultra vires, such as editing, deleting comments, changing function attributes, etc.\n*  File inclusion, directory traversal, and vulnerabilities that can view some sensitive information;\n*  Code leaks, vulnerabilities that have sensitive information but have not been successfully exploited;\n*  Can be SSRF intranet, no echo, or partial echo but failed to obtain information or service permissions vulnerability (SSRF vulnerability verification method see the scoring rules note);\n*  Vulnerabilities in Github that disclose employee email account passwords, online server account passwords, and other file uploads can only cause phishing, (important business) storage XSS vulnerabilities that are not limited by browser security policies Domxss requires strong interaction, multi-step interaction (two steps or more) to have a greater impact on users;\n*  The domain name can be hijacked arbitrarily by an attacker\n\n\n\n**Examples of LOW vulnerabilities**\n* Vulnerabilities that can obtain user information under certain circumstances, including but not limited to reflective XSS, Csrf , temporary file traversal, Url jump, SMS bombing minor information disclosure;\n* Including but not limited to debugging information, Phpinfo, SVN file disclosure, GitHub employee intranet survival test server account password and other machine log files with certain sensitive information;\n* Confirmed as a vulnerability, but there are more difficult vulnerabilities;\n* Denial of service class attacks caused by application layer defects;\n\n\n------------ \n\n## MOBILE VULNERABILITIES\n### Scope \u0026 Categorization\n* Important businesses: Latest version of Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones, MIUI vulnerabilities\n* General businesses: Single-issue apps, non-pre-installed but downloadable Xiaomi mobile apps\n* Edge businesses: Special Edition Business APP\n\n* Please note that the above list may be updated due to business development at any time.*\n\n \n### Bounty Scheme and Examples\n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $3500~$115000 | $800~$1600 | $200~$600 | $50~$100 |\n| General Business   | $700~$3000  | $400~$700 | $100~$200 | $10 |\n| Edge Business      | $300~$700   | $100~$150 | $10  | $5 |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Bypass the Secure Boot\n* Launch a permanent denial of service attack remotely, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Obtain ROOT permissions\n* Remote execution of arbitrary code in a privileged process\n* Execute arbitrary code in TEE\n* Unauthorized access to TEE-protected data (only fingerprints, faces and other data that can cause user property damage are rated as serious)\n \n\n **Examples of HIGH vulnerabilities**\n* Remotely obtain user-related sensitive information (photos, address books, audio, etc.)\n* Remotely execute arbitrary code in order to application processes\n* Remote access to protected data (data accessed by privileged processes only)\n* Local execution of arbitrary code in privileged applications, TCB, or ICE\n* System-level lock screen bypass (needs to test the latest development version and be universally reproducible)\n* Launch a permanent denial of service attack locally, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Remotely read arbitrary data in the victim APP sandbox\n* Remotely turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n* Bypassing device protection functions (e.g. mobile phone retrieval)\n* Modify security settings locally without user interaction\n* Obtain user-sensitive information locally\n \n\n**Examples of MEDIUM vulnerabilities**\n* Remotely launch a temporary denial of service attack, which can cause the system to hang or the device to restart\n*Logic vulnerabilities that can be used to deceive users\n* Locally read arbitrary data from the victim APP sandbox\n* Bypass APP lock screen bypass\n* Locally Obtain sensitive user information (for example: mobile phone number) without permission\n* Locally execute arbitrary code in ord application processes\n* Locally turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n\n \n\n\n**Examples of LOW vulnerabilities** \n* Vulnerabilities that require multiple (more than two) user interactions to trigger\n* Hijacking vulnerability in APP upgrade function\n* Requires physical contact. In some scenarios, information security-related vulnerabilities will only occur with the user cooperation\n* Obtain non-user-related sensitive information\n* Launch a temporary denial of service attack remotely, causing the application to crash and restart\n* Execute arbitrary code in restricted processes through local\n\n\n### Terminology Explanation\n**Remote**: refers to exploiting vulnerabilities to carry out attacks without installing applications or actually touching the device, including web browsing, reading SMS and MMS messages, sending and receiving emails, file downloads, and wireless network communications (excluding short-range communications with a communication distance less than 10 cm) ) and other methods.\n**Local**: Refers to exploiting vulnerabilities to carry out attacks that require the installation of applications on the victim system, or require physical contact with the device and short-range communication with a communication distance of less than 10 centimeters.\n**Restricted process**: A process that is subject to stricter permission constraints than ordinary application processes, or that runs in a highly restricted SElinux (or SEAndroid) domain.\n**Ordinary application process**: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application process or a built-in application process without system-level permissions.\n**Privileged process**: refers to applications or processes running in the system_app domain of SELinux (or SEAndroid), including processes running with system-level permissions and processes with root permissions.\n**TCB**: TCB is the abbreviation of Trusted Computing Base, which refers to the overall protection device in the computer, including hardware, firmware, software and the combination responsible for executing security policies. It establishes a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to part of the kernel and drivers, or user services equivalent to the kernel, such as init, vold, etc.\n**TEE**: TEE is the abbreviation of Trusted Execution Environment, which coexists with the Android system on the device. It is mainly used to provide Android with an operating environment for trusted computing, trusted storage , and other security services.\n**ICE**: ICE is the abbreviation of Independent Computing Environment, which refers to a combination of relatively focused functional services and an independent computing unit, firmware program, and simple OS, such as a baseband Modem.\n \n ------------ \n\n## HARDWARE VULNERABILITIES\n### Scope \u0026 Categorization\n* Xiaomi and Mijia brand hardware \u0026 IoT products. \n* For hardware \u0026 IoT products not using Xiaomi and Mijia brand, please submit the vulnerability by selecting “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \n|  Severity  |  High  | Medium  | Low   | \n| -------------- | ------------------ |---------------|---------------|\n| Bounty | $4000-$1500 | $1500-$400 | $400-$150 | \n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or performing functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video) \n*Serious logic can cause large economic losses \n\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for the unexpected purpose (such as arbitrary video broadcast on TV, tamper with the camera to monitor video)\n \n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device physically but without dismantling the device\n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n\n## PRIVACY VULNERABILITIES\n\n**Scope**\nMobile apps preinstalled on the smartphones of Xiaomi.\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  Severity  | Bounty  | \n| -------------- | ------------------ |\n| High | $500-$200 |\n| Medium | $200-$100 |\n| Low | $100-$50 |\n\nPrivacy vulnerabilities refer to violations of laws and regulations related to privacy or data protection in the country or region where the user is located. If it is not fixed in time, it will infringe the user's rights and interests, or cause negative impact or damage to the company's operations or reputation.\nThe severity of a privacy vulnerability will be comprehensively determined based on factors such as the degree of violation of laws and regulations, the degree of damage to user rights and interests, the degree of impact on the company, and the impact scope.\n\n\n--------- \n\n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please always consider the attack scenario and exploitability, as well as the security impact of the vulnerability. For vulnerabilities that are difficult to exploit and have low impact, we may ignore this submission. The following types of issues will not be accepted and are considered beyond the scope of our bug bounty program.\n\n**For Web**\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**For Mobile**\n**Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n** Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n\n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not! If the ignored vulnerability is later fixed, it is possible that the vulnerability has already been discovered internally and is being fixed, or that the vulnerability no longer appears during the change of the product itself, rather than Xiaomi ignoring the report and fixing it based on the report information.*\n\n--------- \n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-06T09:06:47.817Z"},{"id":3725029,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Disclosure Policy\n* Safe Harbour\n* Response Time\n* General Assessment Rules\n* Detailed Rules and Reward Scheme\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n    * Privacy Vulnerabilities \n* Out of scope Vulnerabilities\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is vital to us, and we constantly strive to guarantee our users' security. Xiaomi hopes to provide solid and comprehensive security protection to our products and services by working closely with individuals, organizations, and companies around the world. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect users' privacy - Xiaomi hopes to respect our users’ privacy, and we oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg: exploiting vulnerabilities to steal user data, editing, copying, or stealing data from related system services through the intrusion into Xiaomi’s services, or maliciously disseminating vulnerabilities which may disclose users' data.\n* Cause more good than harm - You should never leave a system or users in a more dangerous state when you find any vulnerabilities. You shall not engage in activities that may degrade, damage, or destroy the information in our systems, or that may impact our users, such as Denial of Service, social engineering, or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is for international white hats. For the white hats from China Mainland, please submit the report to the Xiaomi Security Center via https://sec.xiaomi.com/\n\n ------------ \n\n# Disclosure Guidelines\n* Please do not disclose or discuss any security vulnerabilities (even resolved vulnerabilities) in Xiaomi products without express consent from Xiaomi, regardless of whether the vulnerability is involved in this bug bounty program.\n* Please follow the disclosure guidelines of HackerOne. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi will send you a thanks reward.\n\nThanks for keeping Xiaomi and our users secure and safe!\n\n--------- \n\n# Response Time\nXiaomi will make a best effort to meet the following target response time for the white hats participating in our program:\n* Time to first response (from report submission) - 2 business days\n* Time to triage (from report submission) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress.\n\nPlease _do not_ send spam messages and follow-ups if our response doesn't exceed the target response time above. We appreciate your patience.\n\n ------------ \n\n# General Assessment Rules\n* Please include as much detailed information as possible in the vulnerability report, such as the steps to reproduce the vulnerability and the expected results of each step. If the information you submit is insufficient to help us verify the vulnerability, you will not be eligible for the reward.\n* If you discover a security vulnerability through the use of automated tools or scanners, please perform a manual reproduction and provide relevant details, otherwise, the vulnerability report may be ignored or receive a smaller reward than expected.\n* If multiple vulnerability reports are submitted, all caused by the same reason, these reports will only be confirmed as ONE valid submission. For example, vulnerabilities are caused by common server configurations affecting multiple products.\n* When duplicate vulnerability reports appear, we will verify them based on the order of submission time, and the first vulnerability report that meets the confirmation requirements will be rewarded.\n* For vulnerability reports involving third-party components, we only accept unknown or 0-day vulnerabilities, and only reward the first valid submission.\n* For vulnerability reports involving the cooperative manufacturers of Xiaomi, we only confirm the vulnerabilities that affect the products and services of Xiaomi and give reasonable ratings based on the actual situation.\n* We set up a \"sheriff\" service for SSRF testing. If you believe you have found an SSRF vulnerability in our production environment, please test it via https://ssrf.dun.mi.com/ssrf/hacker. Please provide the necessary information when submitting the report based on your testing results as follows -\n    *  If there is an echo display, a complete page screenshot of the echo display (including text length, and complete/partial echo) shall be provided in the report.\n    *  If there is no echo display, the content and access time of the custom field shall be provided in the report. We will verify your submitted information.\n* For the vulnerabilities related to the data leakage from cloud storage buckets, e.g. S3, KSS, FDS, etc., the following factors will be considered before confirmation -\n    *  whether the data or link should have access restricted,\n    *  if yes, the sensitivity of the data or link is exposed to the public.\n* The final assessment result of each vulnerability report depends on multiple factors, including but not limited to the severity and risk, the difficulty of being exploited, the scope of impact, and whether there are mitigation measures.\n* Xiaomi has the final decision and interpretation rights on the final assessment results, including whether a vulnerability report should be rewarded and the specific amount of the reward\n\n\n\n------------ \n\n# Detailed Rules and Bounty Scheme\n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Scope \u0026 Categorization**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge business: such as virtual banking, Xiaomi Chaoshen, financial technology, and other Xiaomi cooperative investment businesses, as well as some third-party businesses, such as imilab.com, zhimi.com, zmifi.com, etc., there are also some operation and maintenance monitoring, test pages, testing environment, and open source systems that lack access rights (according to the name to determine whether the suspected Xiaomi-related business needs internal evaluation to confirm whether it has actual impact on Xiaomi);\n\n*Please note that the above list may be updated due to business development at any time.*\n \n### Bounty Scheme and Examples \n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $900~$2000 | $400~$800 | $70~$110 | No Reward |\n| General Business   | $400~$800  | $150~$300 | $20~$60 | No Reward |\n| Edge Business      | $100~$200   | $30~$50 | No Reward | No Reward |\n\n*Please note that vulnerabilities with low severity will be triaged and receive reputation points accordingly, but will not be eligible for bounties.*\n\n**Examples of CRITICAL vulnerabilities**\n* Direct access to core system permissions can directly harm vulnerabilities in the intranet, including but not limited to command execution, remote overflow, and other vulnerabilities;\n* Vulnerabilities that can obtain a large amount of Xiaomi user core data or involve trade secret contracts include but are not limited to DB injection of core SQL ;\n* Payment-related vulnerabilities include but are not limited to serious logic errors, vulnerabilities that can obtain a large number of benefits and cause losses to companies and users;\n* Vulnerabilities that endanger the Xiaomi account system: If there is no interaction, any Xiaomi account login can obtain detailed user information, log in to Xiaomi Cloud to control mobile phones, user payment, and other permissions\n \n\n \n**Examples of HIGH vulnerabilities**\n* Vulnerabilities that can obtain sensitive user information, including but not limited to SQL injection from ordinary sites;\n* The logical vulnerabilities of individual activities and businesses, such as those that can obtain higher benefits, such as points and red packets;\n* Weak password or authentication information bypasses into the background, and there are actual permissions or sensitive information code leaks in the business, which can actually operate an online business and cause greater harm.\n* Can SSRF intranet, support a variety of protocols, can detect vulnerabilities in intranet services (SSRF vulnerability verification method see the points for attention in the scoring rules);\n* Vulnerabilities in specific scenarios or through some user interaction to log in to individual Xiaomi accounts and have actual user operation permissions;\n* Access to sensitive information such as core cookies or storage xss\n\n\n \n**Examples of MEDIUM vulnerabilities**\n*  General user information disclosure;\n*  Vulnerabilities that require interaction to affect users, including but not limited to stored XSS, CSRF for important sensitive operations;\n*  Destructive ultra vires, such as editing, deleting comments, changing function attributes, etc.\n*  File inclusion, directory traversal, and vulnerabilities that can view some sensitive information;\n*  Code leaks, vulnerabilities that have sensitive information but have not been successfully exploited;\n*  Can be SSRF intranet, no echo, or partial echo but failed to obtain information or service permissions vulnerability (SSRF vulnerability verification method see the scoring rules note);\n*  Vulnerabilities in Github that disclose employee email account passwords, online server account passwords, and other file uploads can only cause phishing, (important business) storage XSS vulnerabilities that are not limited by browser security policies Domxss requires strong interaction, multi-step interaction (two steps or more) to have a greater impact on users;\n*  The domain name can be hijacked arbitrarily by an attacker\n\n\n\n**Examples of LOW vulnerabilities**\n* Vulnerabilities that can obtain user information under certain circumstances, including but not limited to reflective XSS, Csrf , temporary file traversal, Url jump, SMS bombing minor information disclosure;\n* Including but not limited to debugging information, Phpinfo, SVN file disclosure, GitHub employee intranet survival test server account password and other machine log files with certain sensitive information;\n* Confirmed as a vulnerability, but there are more difficult vulnerabilities;\n* Denial of service class attacks caused by application layer defects;\n\n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n### Scope \u0026 Categorization\n* Important businesses: Latest version of Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones, MIUI vulnerabilities\n* General businesses: Single-issue apps, non-pre-installed but downloadable Xiaomi mobile apps\n* Edge businesses: Special Edition Business APP\n\n* Please note that the above list may be updated due to business development at any time.*\n\n \n### Bounty Scheme and Examples\n| Categorization / Severity      | Critical      | High      | Medium      | low      |\n| ------------------ | ----------- | ----------- | ----------- | ----------- |\n| Important Business | $3500~$115000 | $800~$1600 | $200~$600 | $50~$100 |\n| General Business   | $700~$3000  | $400~$700 | $100~$200 | $10 |\n| Edge Business      | $300~$700   | $100~$150 | $10  | $5 |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Bypass the Secure Boot\n* Launch a permanent denial of service attack remotely, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Obtain ROOT permissions\n* Remote execution of arbitrary code in a privileged process\n* Execute arbitrary code in TEE\n* Unauthorized access to TEE-protected data (only fingerprints, faces and other data that can cause user property damage are rated as serious)\n \n\n **Examples of HIGH vulnerabilities**\n* Remotely obtain user-related sensitive information (photos, address books, audio, etc.)\n* Remotely execute arbitrary code in order to application processes\n* Remote access to protected data (data accessed by privileged processes only)\n* Local execution of arbitrary code in privileged applications, TCB, or ICE\n* System-level lock screen bypass (needs to test the latest development version and be universally reproducible)\n* Launch a permanent denial of service attack locally, causing the device to no longer be usable and requiring flashing and erasing of all data to recover\n* Remotely read arbitrary data in the victim APP sandbox\n* Remotely turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n* Bypassing device protection functions (e.g. mobile phone retrieval)\n* Modify security settings locally without user interaction\n* Obtain user-sensitive information locally\n \n\n**Examples of MEDIUM vulnerabilities**\n* Remotely launch a temporary denial of service attack, which can cause the system to hang or the device to restart\n*Logic vulnerabilities that can be used to deceive users\n* Locally read arbitrary data from the victim APP sandbox\n* Bypass APP lock screen bypass\n* Locally Obtain sensitive user information (for example: mobile phone number) without permission\n* Locally execute arbitrary code in ord application processes\n* Locally turn on or off functions that are usually initiated by users without user interaction, or functions that require user permission before they can be used\n\n \n\n\n**Examples of LOW vulnerabilities** \n* Vulnerabilities that require multiple (more than two) user interactions to trigger\n* Hijacking vulnerability in APP upgrade function\n* Requires physical contact. In some scenarios, information security-related vulnerabilities will only occur with the user cooperation\n* Obtain non-user-related sensitive information\n* Launch a temporary denial of service attack remotely, causing the application to crash and restart\n* Execute arbitrary code in restricted processes through local\n\n\n### Terminology Explanation\n**Remote**: refers to exploiting vulnerabilities to carry out attacks without installing applications or actually touching the device, including web browsing, reading SMS and MMS messages, sending and receiving emails, file downloads, and wireless network communications (excluding short-range communications with a communication distance less than 10 cm) ) and other methods.\n**Local**: Refers to exploiting vulnerabilities to carry out attacks that require the installation of applications on the victim system, or require physical contact with the device and short-range communication with a communication distance of less than 10 centimeters.\n**Restricted process**: A process that is subject to stricter permission constraints than ordinary application processes, or that runs in a highly restricted SElinux (or SEAndroid) domain.\n**Ordinary application process**: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application process or a built-in application process without system-level permissions.\n**Privileged process**: refers to applications or processes running in the system_app domain of SELinux (or SEAndroid), including processes running with system-level permissions and processes with root permissions.\n**TCB**: TCB is the abbreviation of Trusted Computing Base, which refers to the overall protection device in the computer, including hardware, firmware, software and the combination responsible for executing security policies. It establishes a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to part of the kernel and drivers, or user services equivalent to the kernel, such as init, vold, etc.\n**TEE**: TEE is the abbreviation of Trusted Execution Environment, which coexists with the Android system on the device. It is mainly used to provide Android with an operating environment for trusted computing, trusted storage , and other security services.\n**ICE**: ICE is the abbreviation of Independent Computing Environment, which refers to a combination of relatively focused functional services and an independent computing unit, firmware program, and simple OS, such as a baseband Modem.\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n### Scope \u0026 Categorization\n* Xiaomi and Mijia brand hardware \u0026 IoT products. \n* For hardware \u0026 IoT products not using Xiaomi and Mijia brand, please submit the vulnerability by selecting “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \n|  Severity  |  High  | Medium  | Low   | \n| -------------- | ------------------ |---------------|---------------|\n| Bounty | $4000-$1500 | $1500-$400 | $400-$150 | \n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or performing functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video) \n*Serious logic can cause large economic losses \n\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for the unexpected purpose (such as arbitrary video broadcast on TV, tamper with the camera to monitor video)\n \n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device physically but without dismantling the device\n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Scope**\nMobile apps preinstalled on the smartphones of Xiaomi.\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  Severity  | Bounty  | \n| -------------- | ------------------ |\n| High | $500-$200 |\n| Medium | $200-$100 |\n| Low | $100-$50 |\n\nPrivacy vulnerabilities refer to violations of laws and regulations related to privacy or data protection in the country or region where the user is located. If it is not fixed in time, it will infringe the user's rights and interests, or cause negative impact or damage to the company's operations or reputation.\nThe severity of a privacy vulnerability will be comprehensively determined based on factors such as the degree of violation of laws and regulations, the degree of damage to user rights and interests, the degree of impact on the company, and the impact scope.\n\n\n--------- \n\n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please always consider the attack scenario and exploitability, as well as the security impact of the vulnerability. For vulnerabilities that are difficult to exploit and have low impact, we may ignore this submission. The following types of issues will not be accepted and are considered beyond the scope of our bug bounty program.\n\n**For Web**\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**For Mobile**\n**Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n** Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n\n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not! If the ignored vulnerability is later fixed, it is possible that the vulnerability has already been discovered internally and is being fixed, or that the vulnerability no longer appears during the change of the product itself, rather than Xiaomi ignoring the report and fixing it based on the report information.*\n\n--------- \n\n# Special Reward\nXiaomi is excited to introduce new reward activities in our bug bounty program. These rewards are not time-bound and will run throughout the program. \n\n## ==1. Special Breakthrough Contribution Reward==\n**Effective from March 2021**\n**Introduction**\nAs a special thank you for contributing impactful reports, we will conduct the re-assessment on valid vulnerabilities determined to be critical severity. Based on the overall impact of the vulnerability on the business, **hackers may be rewarded an additional amount of $1,000 - $8,000 USD on top of the base vulnerability reward.**\n\n**Criteria**\nAside from the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability (eg: number of users, type of users affected) and the novelty of the vulnerability amongst other factors.\n\n## ==2. Monthly Leaderboard Reward==\n**Effective from March 2021**\n**Introduction**\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! **The hacker who has earned the most bounty on our program  in each month can get an _additional 30% reward_ on top of their total bounties for that month.**\n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on.\n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month.\n\n**Leaderboard Update** \nStay up to date with Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive an additional 30% bounty.\n\nGood luck and happy hacking! We are looking forward to your reports.\n\n--------- \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-06T08:56:47.163Z"},{"id":3670087,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n ------------ \nLog4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n\n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $500-$200 | $200-$100 | $100-$50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $4000-$1500\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500-$400\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $400-$150\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-21T06:48:57.222Z"},{"id":3666271,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates 2.0\n\n Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 35% reward on top of their HIGH Severity and above bounties for that month.** This special reward will commence from January 2022\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n| October 2021 | @kaonenniang |\n| November 2021   | @shadow2639  |\n| December 2021   | @bobrov  |\n| January 2022 | @bobrov |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n ------------ \nLog4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 35% reward on top of their HIGH Severity and above bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 HIGH Severity reports this month, they will receive an additional 35% bounty amounting to $3,500, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 35% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $500-$200 | $200-$100 | $100-$50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $4000-$1500\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500-$400\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $400-$150\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-09T03:22:15.933Z"},{"id":3666270,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n| October 2021 | @kaonenniang |\n| November 2021   | @shadow2639  |\n| December 2021   | @bobrov  |\n| January 2022 | @bobrov |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n ------------ \nLog4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $500-$200 | $200-$100 | $100-$50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-09T03:14:36.221Z"},{"id":3666269,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates 2.0 \n\n2022 Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 35% reward on top of their HIGH Severity and above bounties for that month.** This special reward will commence from January 2022\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n| October 2021 | @kaonenniang |\n| November 2021   | @shadow2639  |\n| December 2021   | @bobrov  |\n| January 2022 | @bobrov |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n ------------ \nLog4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-09T03:10:01.368Z"},{"id":3666243,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n| October 2021 | @kaonenniang |\n| November 2021   | @shadow2639  |\n| December 2021   | @bobrov  |\n| January 2022 | @bobrov |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n ------------ \nLog4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-08T14:50:41.913Z"},{"id":3666225,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n| October 2021 | @kaonenniang |\n| November 2021   | @shadow2639  |\n| December 2021   | @bobrov  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n ------------ \nLog4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-08T10:19:59.177Z"},{"id":3663315,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n| October 2021 | @kaonenniang |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n ------------ \nLog4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-22T10:38:07.183Z"},{"id":3661694,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n| October 2021 | @kaonenniang |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-15T12:43:04.744Z"},{"id":3660855,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-01T13:04:11.892Z"},{"id":3660365,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n1. Privacy Vulnerabilities Promotion \n\nWe are very excited to announce a new reward structure for privacy vulnerabilities! To celebrate the addition, we will be running a promotion from  ==01/10/2021-31/10/2021==. During this time period, in addition to the base reward structure,  we will also offer a Special Contribution Reward whereby hackers may be rewarded an additional ==**$1,000 - $3,000 USD vulnerability reward**== based on the overall impact of the vulnerability to the business. \n\nPlease see the Vulnerability Rewards Structure for more details.\n\n2. Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n| August 2021   | @sudhakar_muthumani  |\n| September 2021   | @xingguang  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-21T11:00:58.148Z"},{"id":3659115,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n1. Privacy Vulnerabilities Promotion \n\nWe are very excited to announce a new reward structure for privacy vulnerabilities! To celebrate the addition, we will be running a promotion from  ==01/10/2021-31/10/2021==. During this time period, in addition to the base reward structure,  we will also offer a Special Contribution Reward whereby hackers may be rewarded an additional ==**$1,000 - $3,000 USD vulnerability reward**== based on the overall impact of the vulnerability to the business. \n\nPlease see the Vulnerability Rewards Structure for more details.\n\n2. Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n\n|  High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |---------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-01T08:53:49.565Z"},{"id":3659114,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n     * Privacy Vulnerabilities \n     * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n1. Privacy Vulnerabilities Promotion \n\nWe are very excited to announce a new reward structure for privacy vulnerabilities! To celebrate the addition, we will be running a promotion from  ==01/10/2021-31/10/2021==. During this time period, in addition to the base reward structure,  we will also offer a Special Contribution Reward whereby hackers may be rewarded an additional ==**$1,000 - $3,000 USD vulnerability reward**== based on the overall impact of the vulnerability to the business. \n\nPlease see the Vulnerability Rewards Structure for more details.\n\n2. Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n| High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |--------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-01T08:46:02.668Z"},{"id":3659113,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates \n\n1. Privacy Vulnerabilities Promotion \n\nWe are very excited to announce a new reward structure for privacy vulnerabilities! To celebrate the addition, we will be running a promotion from  ==01/10/2021-31/10/2021==. During this time period, in addition to the base reward structure,  we will also offer a Special Contribution Reward whereby hackers may be rewarded an additional ==**$1,000 - $3,000 USD vulnerability reward**== based on the overall impact of the vulnerability to the business. \n\nPlease see the Vulnerability Rewards Structure for more details.\n\n2. Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\u003e ## _ PRIVACY VULNERABILITIES_\n\n**Testing Scope**:  Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones\n\n| App Name     | Package Name                 |\n| ------------------ | ----------------------- |\n| App Vault  | com.mi.android.globalminusscreen  |\n| Backup \u0026 Reset (Backup) | com.miui.backup   |\n| Browser (Mi Broswer) |  com.mo.globalbrowser |\n| Downloads | com.android.providers.downloads.ui |\n| File manager | com.mi.android.globalFileexplorer  |\n| Gallery | com.miui.gallery |\n| Messaging (Network Messaging ) | com.android.mms. |\n| Mi Video (Mi Video Player) | com.miui.videoplayer. |\n| Music (Mi Music) | com.miui.player |\n| Security（Security Center) |  com.miui.securitycenter. |\n| Weather | com.miui.weather |\n| Mint Keyboard | com.mint.keyboard |\n| GetApps | com.xiaomi.mipicks |\n| Settings | com.android.settings |\n| Mi Store | com.mi.global.shop |\n| Mi Community | com.mi.global.bbs |\n| Gallery | com.miui.android.fashiongallery |\n| Mi Drop | com.xiaomi.midrop |\n| Mi Cloud | com.miu.cloudservice |\n| Themes | com.android.thememanager |\n| Notes | com.miui.notes |\n| Camera | com.android.camera |\n| Clock | com.android.deskclock |\n| Compass | com.miui.compass |\n| Mi Account | com.xiaomi.account |\n| Mi Calculator | com.miui.calculator |\n| Recorder | com.android.soundrecorder |\n| Screen Record | com.miui.screenrecorder |\n| Services\u0026feedback (Bug Report) | com.miui.bugreport |\n| System Launcher (Desktop Launcher) | com.miui.home |\n\n** Bounties **\n| High Severity  | Medium Severity  | Low Severity   | \n| -------------- | ------------------ |--------------|\n| $450 | $150 | $50 |\n\n**Examples of HIGH Vulnerabilities**\n* Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.\n* New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.  \n\n**Examples of MEDIUM Vulnerabilities**\n* Collecting user's personal information before obtaining the user's consent. \n* User's personal information is still collected after user's rejection on collection such information.\n* The personal information actually collected exceeds the scope of user authorization.\n\n** Examples of LOW Vulnerabilities**\n* Not publicly disclosing collecting and use Rules for using personal information in privacy policy. \n* Not providing mobile users with method of deleting their personal information.\n*  Not providing mobile users with method of modifying their personal information.\n\n--------- \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-01T08:44:52.497Z"},{"id":3657871,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates - Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n| July 2021   | @godiego  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-03T09:01:19.319Z"},{"id":3655003,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates - Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below and we look forward to more hackers joining the ranks!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n| May 2021 | @t4kemyh4nd |\n| June 2021   | @dgiese  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-16T09:53:30.030Z"},{"id":3654144,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates - Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-01T06:57:39.833Z"},{"id":3653045,"new_policy":"# TABLE OF CONTENTS\n* Updates - Monthly Xiaomi Hacker Leaderboard\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n\n# Updates - Monthly Xiaomi Hacker Leaderboard \n\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, **the hacker who has earned the most bounty on our program in each month can get an additional 30% reward on top of their total bounties for that month.** This special reward will commence from March 2021\n\nWe will be updating this Xiaomi Hacker Leaderboard winners on a monthly basis. Congratulations to the hackers below!\n\n| Month      | Hacker Leaderboard winner      |\n| ---------- | ----------- |\n| March 2021 | @dgiese |\n| April 2021   | @t4kemyh4nd  |\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (@XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-04T12:36:11.156Z"},{"id":3650611,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n\nPlease _do not_ spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received. \n\n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (@XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-31T09:53:01.127Z"},{"id":3650391,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (@XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-26T04:00:39.044Z"},{"id":3650149,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (@XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n* A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-22T08:35:43.230Z"},{"id":3650148,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (@XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover\n* Launching a temporary denial of service attack remotely causes a remote suspension or reboot of the device\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-22T08:27:44.235Z"},{"id":3649971,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports,  we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (@XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-17T09:11:37.230Z"},{"id":3649970,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n### Special Breakthrough Contribution Award\nAs a special thank you for contributing impactful reports, we will conduct a comprehensive, we will conduct a second comprehensive evaluation on valid vulnerabilities determined to be Critical severity. Based on the overall impact of the vulnerability to the business, hackers may be rewarded an additional amount of $1,000-$8,000 USD on top of the base vulnerability reward. \n\n##### Evaluation Criteria\nOn top of the overall impact of the vulnerability, we will conduct an evaluation to further assess its complexity, the extent of the impact of the vulnerability and the novelty of the vulnerability amongst other factors.\n### Monthly Xiaomi Hacker Leaderboard Reward\nTo thank the hackers who have continuously worked on our program to surface vulnerabilities, we are introducing a monthly Xiaomi Hacker Leaderboard Special Reward! The hacker who has earned the most bounty on our program  in each month can get an additional 30% reward on top of their total bounties for that month. \n* Results will be tabulated after the first month and awarded accordingly in the second month, and so on. \n* This additional reward will be awarded on the hacker’s most recent valid report for that month. Eg: If a hacker has earned $10,000 in bounties across 3 reports this month, they will receive an additional 30% bounty amounting to $3,000, paid out on the third valid report in the next month. \n\n##### Leaderboard Update\nStay up to date with our Xiaomi’s Hall of Fame! Please follow us on the Xiaomi Security Center Twitter page (@XiaomiSecurity) for updates. We will be announcing the results of our Hall of Fame every month, and the top security researcher in each month will receive their additional 30% bounty after. \n \n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-17T08:43:34.856Z"},{"id":3649750,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Rewards\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n* Special Breakthrough Contribution Award.\nFor vulnerabilities that involve serious leakage of sensitive information, directly cause the denial of service of Xiaomi's core business, and remote access to core system permissions, and have a huge impact on Xiaomi's security, additional 150$-7000$rewards will be given after verification by the MiSRC.\n*  Monthly Rewards\nThe security expert with the most bonus in a month can get an additional 30% bonus as an additional reward.\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-09T10:14:20.118Z"},{"id":3649259,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Vulnerabilities and Reward Structure\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n* Special Breakthrough Contribution Award.\nFor vulnerabilities that involve serious leakage of sensitive information, directly cause the denial of service of Xiaomi's core business, and remote access to core system permissions, and have a huge impact on Xiaomi's security, additional 150$-7000$rewards will be given after verification by the MiSRC.\n*  Monthly Rewards\nThe security expert with the most bonus in a month can get an additional 30% bonus as an additional reward.\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-01T09:40:57.877Z"},{"id":3649258,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Vulnerabilities and Reward Structure\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Rewards\n* Special Breakthrough/Intelligence Contribution Award.For vulnerabilities/intelligence that involve serious leakage of sensitive information, directly cause the denial of service of Xiaomi's core business, and remote access to core system permissions, and have a huge impact on Xiaomi's security, additional rewards will be given after verification by the MiSRC.\n* The top three with the most bonuses in a month can get an additional 30% of the bonus as an additional reward.\n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-01T09:23:16.123Z"},{"id":3649256,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Special Vulnerabilities and Reward Structure\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Special Vulnerabilities and Reward Structure\n* Special Breakthrough/Intelligence Contribution Award.For vulnerabilities/intelligence that involve serious leakage of sensitive information, directly cause the denial of service of Xiaomi's core business, and remote access to core system permissions, and have a huge impact on Xiaomi's security, additional rewards will be given after verification by the MiSRC.\n* The top three with the most bonuses in a month can get an additional 30% of the bonus as an additional reward.\n\n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-01T08:56:58.016Z"},{"id":3646218,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T06:37:32.888Z"},{"id":3646217,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1000~$2000 |\n| General Business   | $400~$1000  |\n| Edge Business      | $150~$300   |\n\n\n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n| Business type      | Bounty    |\n| ------------------ | --------- |\n| Important Business | $300~$600 |\n| General Business   | $150~$300 |\n| Edge Business      | $50       |\n\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n| Business type      | Bounty                  |\n| ------------------ | ----------------------- |\n| Important Business | $50~$80                 |\n| General Business   | $50                     |\n| Edge Business      | Not eligible for bounty |\n\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $1500~$6000 |\n| General Business   | $700~$3000  |\n\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities\n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $700~1500 |\n| General Business   | $300~700  |\n \n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n| Business type      | Bounty      |\n| ------------------ | ----------- |\n| Important Business | $150~$300 |\n| General Business   | $75~$150  |\n* Important Business: $150~300\n\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\n*Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.*\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage (Except for APP logs with                                                          sensitive information or user data for which encryption has been promised)\n* Lack of obfuscation is out of scope\n* OAuth \u0026 App secret hard-coded/recoverable in APK\n* Any kind of sensitive data protected by the APP private directory\n* Lack of binary protection control in android app\n* APP setting allowbackup:True \n \n**(Mobile) Local DoS attacks with limited impact**\n* Sending malformed intents to the exported component causes the APP to crash only\n* Browser crashes due to excessive resource requests\n* Local DoS attacks that users can resolve by restarting the browser  \n\n**(Mobile) Others**\n* Any data leak because the malicious APP has acquired the appropriate permissions\n* Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n* Spoofing vulnerability with less deceptive\n* Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n\n--------- \n\n# FAQ\n* Will Xiaomi secretly fix the neglected vulnerability？\n\n*Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.*\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T06:25:34.402Z"},{"id":3646216,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n------------ \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n\n_Please note that the list above may be updated according to business changes at any time_\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:44:58.913Z"},{"id":3646215,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n------------ \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n\n_Please note that the list above may be updated according to business changes at any time_\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n| Vulnerability level      | Examples                                                     | Bounty                                                       |\n| ------------------------ | :----------------------------------------------------------- | ------------------------------------------------------------ |\n| critical vulnerabilities | * Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\u003cbr /\u003e* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\u003cbr /\u003e* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\u003cbr /\u003e* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc. | Important Business: $1000~$2000\u003cbr/\u003e General Business: $400~$1000\u003cbr/\u003e Edge business：$150~$300 |\n| high vulnerabilities     | * Including but not limited to SQL injection \u003cbr/\u003e* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \u003cbr/\u003e* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\u003cbr/\u003e* Obtain partial users' sensitive information\u003cbr/\u003e* Code disclosure vulnerabilities that make a huge impact\u003cbr/\u003e* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\u003cbr/\u003e* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\u003cbr/\u003e* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS | Important Business: $300~$600\u003cbr/\u003eGeneral Business: $150~$300\u003cbr/\u003eEdge Business: $50 |\n| medium vulnerabilities   | *  Few users' information disclosure\u003cbr/\u003e*  Stored XSS vulnerabilities\u003cbr/\u003e*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\u003cbr/\u003e*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\u003cbr/\u003e*  Code disclosure but can not make use\u003cbr/\u003e*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e*  Github disclosure such as employees' mailboxes and online server account passwords etc.\u003cbr/\u003e*  CSRF key functions\u003cbr/\u003e*  File upload cause phishing, storage XSS harm vulnerabilities\u003cbr/\u003e*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\u003cbr/\u003e*  Domain name pointing error can be hijacked | Important Business: $50~$80\u003cbr/\u003eGeneral Business: $50\u003cbr/\u003eEdge Business: Not eligible for bounty |\n| low vulnerabilities      | * Reflected XSS\u003cbr/\u003e* Insensitive information disclosure from third-party platforms like Github.\u003cbr/\u003e* CSRF in non-critical business.\u003cbr/\u003e* Temporary file disclosure/Debug info disclosure\u003cbr/\u003e* Phpinfo\u003cbr/\u003e* Unchecked url-redirection\u003cbr/\u003e* Mail/SMS bombing\u003cbr/\u003e* Vulnerabilities depended on difficult scenarios or pre-conditions\u003cbr/\u003e* Insensitive .svn or .git disclosure\u003cbr/\u003e* Nginx integer overflow\u003cbr/\u003e* \"HTTP Host Header\" XSS | Please note that low severity vulnerabilities will be triaged  and you will receive reputation points.\u003cbr/\u003eBut it will be ineligible for bounty as per our reward structure. |\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:41:11.900Z"},{"id":3646214,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n------------ \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n\n_Please note that the list above may be updated according to business changes at any time_\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:35:14.226Z"},{"id":3646213,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n------------ \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n\n_Please note that the list above may be updated according to business changes at any time_\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n| Vulnerability level      | Examples                                                     | Bounty                                                       |\n| ------------------------ | :----------------------------------------------------------- | ------------------------------------------------------------ |\n| critical vulnerabilities |  Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc. \nObtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\u003cbr /\u003e* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\u003cbr /\u003e* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc. | Important Business: $1000~$2000\u003cbr/\u003e General Business: $400~$1000\u003cbr/\u003e Edge business：$150~$300 |\n| high vulnerabilities     | * Including but not limited to SQL injection \u003cbr/\u003e* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \u003cbr/\u003e* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\u003cbr/\u003e* Obtain partial users' sensitive information\u003cbr/\u003e* Code disclosure vulnerabilities that make a huge impact\u003cbr/\u003e* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\u003cbr/\u003e* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\u003cbr/\u003e* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS | Important Business: $300~$600\u003cbr/\u003eGeneral Business: $150~$300\u003cbr/\u003eEdge Business: $50 |\n| medium vulnerabilities   | *  Few users' information disclosure\u003cbr/\u003e*  Stored XSS vulnerabilities\u003cbr/\u003e*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\u003cbr/\u003e*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\u003cbr/\u003e*  Code disclosure but can not make use\u003cbr/\u003e*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e*  Github disclosure such as employees' mailboxes and online server account passwords etc.\u003cbr/\u003e*  CSRF key functions\u003cbr/\u003e*  File upload cause phishing, storage XSS harm vulnerabilities\u003cbr/\u003e*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\u003cbr/\u003e*  Domain name pointing error can be hijacked | Important Business: $50~$80\u003cbr/\u003eGeneral Business: $50\u003cbr/\u003eEdge Business: Not eligible for bounty |\n| low vulnerabilities      | * Reflected XSS\u003cbr/\u003e* Insensitive information disclosure from third-party platforms like Github.\u003cbr/\u003e* CSRF in non-critical business.\u003cbr/\u003e* Temporary file disclosure/Debug info disclosure\u003cbr/\u003e* Phpinfo\u003cbr/\u003e* Unchecked url-redirection\u003cbr/\u003e* Mail/SMS bombing\u003cbr/\u003e* Vulnerabilities depended on difficult scenarios or pre-conditions\u003cbr/\u003e* Insensitive .svn or .git disclosure\u003cbr/\u003e* Nginx integer overflow\u003cbr/\u003e* \"HTTP Host Header\" XSS | Please note that low severity vulnerabilities will be triaged  and you will receive reputation points.\u003cbr/\u003eBut it will be ineligible for bounty as per our reward structure. |\n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:32:05.312Z"},{"id":3646212,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n------------ \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n\n_Please note that the list above may be updated according to business changes at any time_\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n| Vulnerability level      | Examples                                                     | Bounty                                                       |\n| ------------------------ | :----------------------------------------------------------- | ------------------------------------------------------------ |\n| critical vulnerabilities | * Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\u003cbr /\u003e* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\u003cbr /\u003e* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\u003cbr /\u003e* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc. | Important Business: $1000~$2000\u003cbr/\u003e General Business: $400~$1000\u003cbr/\u003e Edge business：$150~$300 |\n| high vulnerabilities     | * Including but not limited to SQL injection \u003cbr/\u003e* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \u003cbr/\u003e* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\u003cbr/\u003e* Obtain partial users' sensitive information\u003cbr/\u003e* Code disclosure vulnerabilities that make a huge impact\u003cbr/\u003e* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\u003cbr/\u003e* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\u003cbr/\u003e* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS | Important Business: $300~$600\u003cbr/\u003eGeneral Business: $150~$300\u003cbr/\u003eEdge Business: $50 |\n| medium vulnerabilities   | *  Few users' information disclosure\u003cbr/\u003e*  Stored XSS vulnerabilities\u003cbr/\u003e*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\u003cbr/\u003e*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\u003cbr/\u003e*  Code disclosure but can not make use\u003cbr/\u003e*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e*  Github disclosure such as employees' mailboxes and online server account passwords etc.\u003cbr/\u003e*  CSRF key functions\u003cbr/\u003e*  File upload cause phishing, storage XSS harm vulnerabilities\u003cbr/\u003e*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\u003cbr/\u003e*  Domain name pointing error can be hijacked | Important Business: $50~$80\u003cbr/\u003eGeneral Business: $50\u003cbr/\u003eEdge Business: Not eligible for bounty |\n| low vulnerabilities      | * Reflected XSS\u003cbr/\u003e* Insensitive information disclosure from third-party platforms like Github.\u003cbr/\u003e* CSRF in non-critical business.\u003cbr/\u003e* Temporary file disclosure/Debug info disclosure\u003cbr/\u003e* Phpinfo\u003cbr/\u003e* Unchecked url-redirection\u003cbr/\u003e* Mail/SMS bombing\u003cbr/\u003e* Vulnerabilities depended on difficult scenarios or pre-conditions\u003cbr/\u003e* Insensitive .svn or .git disclosure\u003cbr/\u003e* Nginx integer overflow\u003cbr/\u003e* \"HTTP Host Header\" XSS | Please note that low severity vulnerabilities will be triaged  and you will receive reputation points.\u003cbr/\u003eBut it will be ineligible for bounty as per our reward structure. |\n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:31:05.803Z"},{"id":3646211,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n------------ \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n\n_Please note that the list above may be updated according to business changes at any time_\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:28:21.662Z"},{"id":3646210,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n------------ \n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n\n_Please note that the list above may be updated according to business changes at any time_\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n| Vulnerability level      | Examples                                                     | Bounty                                                       |\n| ------------------------ | :----------------------------------------------------------- | ------------------------------------------------------------ |\n| critical vulnerabilities | * Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\u003cbr/\u003e* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\u003cbr/\u003e* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\u003cbr/\u003e* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc. | Important Business: $1000~$2000\u003cbr/\u003e General Business: $400~$1000\u003cbr/\u003e Edge business：$150~$300 |\n| high vulnerabilities     | * Including but not limited to SQL injection \u003cbr/\u003e* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \u003cbr/\u003e* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\u003cbr/\u003e* Obtain partial users' sensitive information\u003cbr/\u003e* Code disclosure vulnerabilities that make a huge impact\u003cbr/\u003e* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\u003cbr/\u003e* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\u003cbr/\u003e* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS | Important Business: $300~$600\u003cbr/\u003eGeneral Business: $150~$300\u003cbr/\u003eEdge Business: $50 |\n| medium vulnerabilities   | *  Few users' information disclosure\u003cbr/\u003e*  Stored XSS vulnerabilities\u003cbr/\u003e*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\u003cbr/\u003e*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\u003cbr/\u003e*  Code disclosure but can not make use\u003cbr/\u003e*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\u003cbr/\u003e*  Github disclosure such as employees' mailboxes and online server account passwords etc.\u003cbr/\u003e*  CSRF key functions\u003cbr/\u003e*  File upload cause phishing, storage XSS harm vulnerabilities\u003cbr/\u003e*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\u003cbr/\u003e*  Domain name pointing error can be hijacked | Important Business: $50~$80\u003cbr/\u003eGeneral Business: $50\u003cbr/\u003eEdge Business: Not eligible for bounty |\n| low vulnerabilities      | * Reflected XSS\u003cbr/\u003e* Insensitive information disclosure from third-party platforms like Github.\u003cbr/\u003e* CSRF in non-critical business.\u003cbr/\u003e* Temporary file disclosure/Debug info disclosure\u003cbr/\u003e* Phpinfo\u003cbr/\u003e* Unchecked url-redirection\u003cbr/\u003e* Mail/SMS bombing\u003cbr/\u003e* Vulnerabilities depended on difficult scenarios or pre-conditions\u003cbr/\u003e* Insensitive .svn or .git disclosure\u003cbr/\u003e* Nginx integer overflow\u003cbr/\u003e* \"HTTP Host Header\" XSS | Please note that low severity vulnerabilities will be triaged  and you will receive reputation points.\u003cbr/\u003eBut it will be ineligible for bounty as per our reward structure. |\n------------ \n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n ------------ \n\n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:27:24.056Z"},{"id":3646209,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n* FAQ\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n```\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n```\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-27T03:07:22.292Z"},{"id":3641679,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-25T09:52:50.329Z"},{"id":3641678,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n--------- \n\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-25T09:52:21.512Z"},{"id":3641677,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n\n##(Mobile) Code security and user data storage\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n##(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n##(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-25T09:49:36.973Z"},{"id":3641676,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability  \n---------   \n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-25T09:43:07.180Z"},{"id":3641675,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability\n****  \n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True  \n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser  \n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-25T09:42:10.452Z"},{"id":3641674,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability\n***\n**(Mobile) Code security and user data storage**\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True\u003cbr\u003e\n**(Mobile) Local DoS attacks with limited impact**\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser\u003cbr\u003e\n**(Mobile) Others**\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-25T09:40:16.042Z"},{"id":3641403,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n\n\u003e ## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n\n\u003e ## _MOBILE VULNERABILITIES_\n\u003e Please note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n\u003e ## _HARDWARE VULNERABILITIES_\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability\n* (Mobile) Code security and user data storage\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True\n*(Mobile) Local DoS attacks with limited impact\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser\n*(Mobile) Others\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-18T08:09:39.622Z"},{"id":3639493,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n \n## _MOBILE VULNERABILITIES_\nPlease note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n* Browser address bar spoofing attack\n \n \n## _HARDWARE VULNERABILITIES_\n\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability\n* (Mobile) Code security and user data storage\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True\n*(Mobile) Local DoS attacks with limited impact\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser\n*(Mobile) Others\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-13T08:20:40.610Z"},{"id":3637243,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n* Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：\n    * We will confirm internally whether the information or link should be publicly accessible/viewable\n    * Confirmation of the valid vulnerability will be based on the sensitivity of information leakage\n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n* Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n \n## _MOBILE VULNERABILITIES_\nPlease note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n \n \n## _HARDWARE VULNERABILITIES_\n\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Error message: Software version/IP\n    * Uploaded file cannot be parsed \n    * Vulnerabilities that can only be reproduced by certain low-level IE browsers\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n    * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability\n* (Mobile) Code security and user data storage\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True\n*(Mobile) Local DoS attacks with limited impact\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser\n*(Mobile) Others\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-11T03:16:19.552Z"},{"id":3636440,"new_policy":"# TABLE OF CONTENTS\n* Ground Rules\n* Response target\n* Disclosure Policy\n* General Vulnerability Assessment\n* Vulnerabilities and Reward Structure\n    * Web Vulnerabilities \n    * Mobile Vulnerabilities \n    * Hardware Vulnerabilities\n* Out of scope Vulnerabilities\n* Safe Harbour\n\n----------------\n \n# Ground Rules\n* The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.\n* Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.\n* Please do not leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.\n* Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard. \n\n ------------ \n\n# Response Targets\nXiaomi will make a best effort to meet the following response targets for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 5 business days\n* Time to bounty (from triage) - 7 business days\n \nWe’ll try to keep you informed about our progress throughout the process. \n ------------ \n\n# Disclosure Guidelines\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.\n \n------------ \n\n# General Vulnerability Assessment\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.\n* The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures \n* The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.\n* As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.\n* We have set up a \"sheriff\" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The \"hacker\"  can be customized to distinguish between:\n    * If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.\n    * If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.\n \n------------ \n\n# Vulnerabilities and Reward Structure \nThe decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.\nPlease note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n## _WEB VULNERABILITIES_\n**Categorisation**\n* Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc \n* General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services\n* Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n\n*Please note that the list above may be updated according to business changes at any time*\n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1000~$2000\n* General Business: $400~$1000\n* Edge business：$150~$300\n \n**Examples of CRITICAL vulnerabilities**\n* Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.\n* Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.\n* Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss\n* Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.\n \n### Bounties for HIGH Vulnerabilities \n* Important Business: $300~$600\n* General Business: $150~$300\n* Edge Business: $50\n \n**Examples of HIGH vulnerabilities**\n* Including but not limited to SQL injection \n* Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes \n* Weak password or bypass verification to access backend clients and with some actual authority or sensitive information\n* Obtain partial users' sensitive information\n* Code disclosure vulnerabilities that make a huge impact\n* SSRF intranet return intranet information (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n* Login individual accounts vulnerabilities by user interaction and have actual user operating authority\n* Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities\n*  Access to core business cookies and other sensitive information or can cause widespread storage XSS\n\n### Bounties for MEDIUM vulnerabilities \n*  Important Business: $50~$80\n*  General Business: $50\n*  Edge Business: Not eligible for bounty\n \n**Examples of MEDIUM vulnerabilities**\n*  Few users' information disclosure\n*  Stored XSS vulnerabilities\n*  Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.\n*  File contains and directory traversal vulnerabilities which could view some parts of sensitive information\n*  Code disclosure but can not make use\n*  SSRF intranet no echo or partial echo but can not get information and service permissions (Please use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)\n*  Github disclosure such as employees' mailboxes and online server account passwords etc.\n*  CSRF key functions\n*  File upload cause phishing, storage XSS harm vulnerabilities\n*  Need strong interaction, multi-step interaction (two or more steps) to have a impact\n*  Domain name pointing error can be hijacked\n \n### LOW vulnerabilities\n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities**\n* Reflected XSS\n* Insensitive information disclosure from third-party platforms like Github.\n* CSRF in non-critical business.\n* Temporary file disclosure/Debug info disclosure\n* Phpinfo\n* Unchecked url-redirection\n* Mail/SMS bombing\n* Vulnerabilities depended on difficult scenarios or pre-conditions\n* Insensitive .svn or .git disclosure\n* Nginx integer overflow\n* \"HTTP Host Header\" XSS \n\n \n## _MOBILE VULNERABILITIES_\nPlease note that vulnerabilities of low severity will be triaged but not awarded with a bounty. \n\n**Testing Scope and Categorisation**\n* All the apps of Miui 12 Global \n* Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService\n* General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI \n \n \n### Bounties for CRITICAL Vulnerabilities \n* Important Business: $1500~$6000\n* General Business: $700~$3000\n \n**Examples of CRITICAL vulnerabilities**\n* Severe logic vulnerabilities which could make user economic losses\n* Obtain system root permission\n* Remote command execution\n* Remote access to user sensitive information\n* Bypass the permission to access the payment data or users’ authentication data on tee\n* Bypass the security boot, such as SELinux\n* TEE arbitrary command execution\n* System remote permanent deny service\nwhich influences the system’s important features such as wifi, sms and telephone.\n \n\n### Bounties for HIGH Vulnerabilities \n* Important Business: $700~1500\n* General Business: $300~700\n\n **Examples of HIGH vulnerabilities**\n* Remote access to most partial users sensitive information\n* Vulnerability which has useless to attacker but may lead to great loss to users\n* Need some interactive logic so that can lead to users' great loss\n* Obtain system permission\n* Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)\n* Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level\n* Local users’ sensitive information leak\n* Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)\n* Important app remote permanent deny service\n* Need to install malicious app to gain access to the victim app without interaction\n* Need to install malicious app to clone app in the newest  Android native environment\n* Need to install a malicious app to bypass permission restrictions and read user privacy datas.\n \n \n### Bounties for MEDIUM Vulnerabilities \n* Important Business: $150~300\n* General Business: $75~150\n\n**Examples of MEDIUM vulnerabilities**\n* Vulnerability which can make system restart or some feathers deny service by installing app\n* Hijacking cause some harm\n* Interface logic vulnerability which can deceive users or fishing etc.\n* Bypass lock screen on app level\n* Bypass the authentication to find phone function or reset the phone\n* Local general users’ information leak\n* System remote temporary deny service\n* Need install malicious app to clone app in the lower  Android native environment\n* Need install malicious app to read users‘  sensitive information in the lower android native environment\n* SQL injection of sensitive information  in local App\n \n \n### LOW vulnerabilities \n\nPlease note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.\n\n**Examples of LOW vulnerabilities** \n* App unsafe configuration\n* Low risk information disclosure\n* Vulnerability which can be exploited in a complex condition\n* Application upgrade hijacked\n* Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information\n* Load arbitrarily url through exposed component to fishing\n* Need install malicious app to read sensitive information but not users' information \n* SQL injection of insensitive information  in local App\n* Raise other app components to open any address, open the file, but can't get the data by installing malicious app\n \n \n## _HARDWARE VULNERABILITIES_\n\n**Testing Scope and Categorisation**\n* Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products. \n* For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”. \n \n### Bounties for HIGH Vulnerabilities \nReward: $3000\n \n **Examples of HIGH vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode\n* Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)\n*Serious logic can cause large economic losses \n \n### Bounties for MEDIUM Vulnerabilities \nReward: $1500\n \n **Examples of MEDIUM vulnerabilities**\n* Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.\n* Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)\n \n### Bounties for LOW Vulnerabilities \nReward: $300\n\n **Examples of LOW vulnerabilities**\n* Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device \n* Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN\n\n--------- \n\n# Out-of-Scope Vulnerabilities \n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Design flaws and best practices that do not lead to security vulnerabilities\n* Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact \n* Subdomain takeovers - Unable to prove it can be taken over \n* Minimal security implications  such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /clickjacking, UI redressing\n* Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Session not invalidated after logout\n* Insensitive disclosure information such as:\n    * Software version\n    * HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files\n     * Public links, such as social media profile pictures, live videos, etc\n* Reflected file download attacks\n* SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact\n* Misconfigurations such as: \n    * DNS issues (i.e. mx records, SPF records, etc.)\n    * Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)\n    * Presence of autocomplete attribute on web forms\n    * Mixed content warnings\n    * Missing security-related HTTP headers which do not lead directly to a vulnerability\n* (Mobile) Code security and user data storage\n     * Absence of certificate pinning\n     * Sensitive data in URLs/request bodies when protected by TLS\n     * User data stored unencrypted on external storage (Except for APP logs with                                                           sensitive information or user data for which encryption has been promised)\n     * Lack of obfuscation is out of scope\n     * OAuth \u0026 App secret hard-coded/recoverable in APK\n     * Any kind of sensitive data protected by the APP private directory\n     * Lack of binary protection control in android app\n     * APP setting allowbackup:True\n*(Mobile) Local DoS attacks with limited impact\n     * Sending malformed intents to the exported component causes the APP to crash only\n     * Browser crashes due to excessive resource requests\n     * Local DoS attacks that users can resolve by restarting the browser\n*(Mobile) Others\n      * Any data leak because the malicious APP has acquired the appropriate permissions\n      * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n     * Spoofing vulnerability with less deceptive\n     * Attacks that are only available in lower versions of Android\n\n--------- \n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n\nIf you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.\n\nThanks for keeping Xiaomi and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-19T09:02:59.339Z"}]