Ant Group looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have discovered a vulnerability, kindly disclose it responsibly via MySRC.

Program Policy

• Malicious reporters will be banned.
• Irrelevant problems will be ignored.
• Employees of Ant Group and Alibaba Group cannot participate in the award plan, directly or indirectly.
• The award plan is only available to users submitting reports through AntSRC or through YWH.
• AntSRC holds the right of final interpretation for the award plan.

Report Submission

Please fill in all relevant vulnerability details and submit via https://security-en.alipay.com/home according to the required standards.

• Important: Please keep your vulnerability strictly confidential. No credit or rewards will be given if the issue is disclosed publicly before it is fixed.
• Please note: Reward paid through YesWeHack will be done through a private bug bounty program. We will invite you and pay you in this program.

Vulnerability Evaluation Process

Once submitted, AntSRC will evaluate your report within 48 hours

AntSRC will contact you if necessary for clarification or further testing.

Additional Incentives: Critical Vulnerabilities

Submissions that meet Critical severity may qualify for a cash bonus ranging from USD 1337 to USD 31337, in addition to the swag.

What qualifies as "Critical"?

1. Vulnerabilities that can lead to escalation of privileges on core servers, including but not limited to:

   • Memory corruption
   • WEBSHELL upload
   • Remote Code Execution (RCE) > Note: Core servers refer to those storing information on funds, identities, and transactions. > >
   • Core sensitive information leakage vulnerabilities, including those caused by loose permission controls.

2. Logic vulnerabilities in core business processes that can be massively exploited to cause financial or reputational damage to the company or users, including but not limited to:

   • Account credential validation logic
   • Data verification logic in core APIs
   • Payment logic flaws

   • SQL injection vulnerabilities that:

   • Allow direct command execution

   • Leak sensitive data from core databases, such as user IDs, order information, or bank card details

Additional Cash Bonus (USD 1,337 – USD 31,337)

Eligible vulnerabilities include:

• Large-scale user account information leakage or unauthorized privilege changes
• Ability to massively acquire sensitive user data, such as orders
• Capability to take control of important servers

Submission Requirements

To help us process reports efficiently, please append [YWH] to your report title.

Example Title:
[YWH] SQL Injection on example.net at /example/register

Submissions with the [YWH] tag will be prioritized for review and processing during the promotional period. This helps us quickly identify participants eligible for the swag reward and ensures faster triage.

Contact AntSRC

For any questions or clarifications, you may contact the Ant Group Security Response Center at
antsrc@service.alipay.com

Other Links

• Ant Group Security Response Center: https://security-en.alipay.com/home
• WeChat Account ID: antsrc_xiaofen
• DingTalk ID: afsrc007
• Twitter: My Security Response Center