TABLE OF CONTENTS

• Ground Rules

• Response target

• Disclosure Policy

• General Vulnerability Assessment

• Vulnerabilities and Reward Structure

  • Privacy Vulnerabilities

  • Web Vulnerabilities

  • Mobile Vulnerabilities

  • Hardware Vulnerabilities

• Out of scope Vulnerabilities

• Safe Harbour

• FAQ

Ground Rules

• The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Xiaomi Security Center hopes to raise the comprehensive security of our products by working closely with individuals, organizations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve security.

• Respect our users’ privacy: We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, eg :exploiting vulnerabilities to steal user data, intrusion into Xiaomi’s services, changing ,copying or stealing data from related system services, or malicious disseminating vulnerabilities or data.

• Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.

• Dispute resolution - When the results of the vulnerability review are disputed, we will handle in accordance with the principle of prioritizing the interests of the reporters, and if necessary, external parties may be invited to jointly decide and introduce CVSS standard.

• This platform is only suitable for international white hats. For Chinese white hats, please submit the report to the Xiaomi Security Center：https://sec.xiaomi.com/

Log4j2 JNDI injection vulnerability affects a wide range of general-purpose vulnerabilities. According to the general vulnerability handling principle, the company’s internal self-examination and upgrade repair at this stage, Log4j related reports will be handled negligently. Thanks to the white hats for their help and assistance to Xiaomi's safety work.Thank you all the way there are you in~

Response Targets

Xiaomi will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 5 business days

• Time to bounty (from triage) - 7 business days

We’ll try to keep you informed about our progress throughout the process.

Please do not spam messages and followups in your report if our response timings are within the targets above. We appreciate your patience as we work through the reports we have received.

Disclosure Guidelines

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Xiaomi Team.

• Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability and comply with the format stated in the Eligibility for Bounty section.

General Vulnerability Assessment

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Unverified Vulnerabilities reports using automated tools or scanners will be ignored or decreased awards.

• The final assessment of each vulnerability is determined by the impact, the risks and the current mitigation measures

• The number of multiple vulnerabilities caused by the same vulnerability source is one. For example, multiple problems caused by a certain configuration of the server, the same file or template, generic domain name resolution, etc

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Regarding the vulnerabilities of the third-party component problem, we only confirm the unknown and 0day, and only confirm the first submission.

• As for the vulnerability of the cooperative manufacturers, we only confirm the vulnerability related to Xiaomi's business , and will do the rating according to the actual impact.

• We have set up a "sheriff" service for SSRF testing. If you believe you have an SSRF in production, please use the following port combinations for testing: https://ssrf.dun.mi.com/ssrf/hacker. The "hacker" can be customized to distinguish between:

  • If there is an echo display, a complete page screenshot of echo display (including text length, complete echo/partial echo) shall be submitted in the report.

  • If there is no echo display, the content and access time of the custom field will be informed in the report, and Xiaomi Security will conduct verification.

• Vulnerabilities regarding information disclosure of cloud storage buckets (Eg: S3, KSS, FDS etc)：

  • We will confirm internally whether the information or link should be publicly accessible/viewable

  • Confirmation of the valid vulnerability will be based on the sensitivity of information leakage

Vulnerabilities and Reward Structure

The decision to grant a reward for a vulnerability report and the value of a reward is entirely within Xiaomi’s discretion and will be based on the impact and severity of the reported vulnerability.

Please note that Web and Mobile app vulnerabilities of low severity will be triaged but not awarded with a bounty.

> ## _ PRIVACY VULNERABILITIES_

Testing Scope: Xiaomi mobile apps preinstalled on Xiaomi Mobile Phones

| App Name | Package Name |

| ------------------ | ----------------------- |

| App Vault | com.mi.android.globalminusscreen |

| Backup & Reset (Backup) | com.miui.backup |

| Browser (Mi Broswer) | com.mo.globalbrowser |

| Downloads | com.android.providers.downloads.ui |

| File manager | com.mi.android.globalFileexplorer |

| Gallery | com.miui.gallery |

| Messaging (Network Messaging ) | com.android.mms. |

| Mi Video (Mi Video Player) | com.miui.videoplayer. |

| Music (Mi Music) | com.miui.player |

| Security（Security Center) | com.miui.securitycenter. |

| Weather | com.miui.weather |

| Mint Keyboard | com.mint.keyboard |

| GetApps | com.xiaomi.mipicks |

| Settings | com.android.settings |

| Mi Store | com.mi.global.shop |

| Mi Community | com.mi.global.bbs |

| Gallery | com.miui.android.fashiongallery |

| Mi Drop | com.xiaomi.midrop |

| Mi Cloud | com.miu.cloudservice |

| Themes | com.android.thememanager |

| Notes | com.miui.notes |

| Camera | com.android.camera |

| Clock | com.android.deskclock |

| Compass | com.miui.compass |

| Mi Account | com.xiaomi.account |

| Mi Calculator | com.miui.calculator |

| Recorder | com.android.soundrecorder |

| Screen Record | com.miui.screenrecorder |

| Services&feedback (Bug Report) | com.miui.bugreport |

| System Launcher (Desktop Launcher) | com.miui.home |

Bounties

| High Severity | Medium Severity | Low Severity |

| -------------- | ------------------ |---------------|

| $500-$200 | $200-$100 | $100-$50 |

Examples of HIGH Vulnerabilities

• Undisclosed vulnerabilities which will lead to great impact to Xiaomi business.

• New vulnerrabilities which involve new technology or never reported in the industry. Meanwhile it will bring great impact to the xiaomi business.

Examples of MEDIUM Vulnerabilities

• Collecting user's personal information before obtaining the user's consent.

• User's personal information is still collected after user's rejection on collection such information.

• The personal information actually collected exceeds the scope of user authorization.

Examples of LOW Vulnerabilities

• Not publicly disclosing collecting and use Rules for using personal information in privacy policy.

• Not providing mobile users with method of deleting their personal information.

• Not providing mobile users with method of modifying their personal information.

> ## WEB VULNERABILITIES

Categorisation

• Important businesses: account.xiaomi.com , jr.mi.com, mi.com, xiaomiyoupin.com, mipay.com, miui.com, miwifi.com etc

• General businesses: miliao.com, duokan.com, c.mi.com, game.mi.com, Xiaomi’s entertainment services

• Edge businesses: Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions

Please note that the list above may be updated according to business changes at any time

Bounties for CRITICAL Vulnerabilities

| Business type | Bounty |

| ------------------ | ----------- |

| Important Business | $1000~$2000 |

| General Business | $400~$1000 |

| Edge Business | $150~$300 |

Examples of CRITICAL vulnerabilities

• Directly obtain system permissions,including but not limited to, SQL injection, remote overflows etc.

• Obtain sensitive users' data vulnerabilities, including but not limited to, order traversal, SQLinjection etc.

• Pay vulnerabilities, including but not limited serious logic error, obtaining lots of profits to cause company and users' loss

• Damage Xiaomi account system vulnerabilities, such as obtaining users' details, login mi cloud and control phone, obtain mipay authority etc.

Bounties for HIGH Vulnerabilities

| Business type | Bounty |

| ------------------ | --------- |

| Important Business | $300~$600 |

| General Business | $150~$300 |

| Edge Business | $50 |

Examples of HIGH vulnerabilities

• Including but not limited to SQL injection

• Some activity, business logic vulnerabilities, such as obtain some profits from scores and red envelopes

• Weak password or bypass verification to access backend clients and with some actual authority or sensitive information

• Obtain partial users' sensitive information

• Code disclosure vulnerabilities that make a huge impact

• SSRF intranet return intranet information (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)

• Login individual accounts vulnerabilities by user interaction and have actual user operating authority

• Privilege escalation which causes great damage to key functions. Design defect vulnerabilities, such as obtain a large amount of valid user information through logical vulnerabilities

• Complete access to core business session cookies and other sensitive information, or can cause widespread cross-account Stored XSS

Bounties for MEDIUM vulnerabilities

| Business type | Bounty |

| ------------------ | ----------------------- |

| Important Business | $50~$80 |

| General Business | $50 |

| Edge Business | Not eligible for bounty |

Examples of MEDIUM vulnerabilities

• Few users' information disclosure

• Stored XSS vulnerabilities

• Privilege escalation which causes some damage such as edit, delete comments, change the functional properties etc.

• File contains and directory traversal vulnerabilities which could view some parts of sensitive information

• Code disclosure but can not make use

• SSRF intranet no echo or partial echo but can not get information and service permissions (Pls use this test link for SSRF: https://ssrf.dun.mi.com/ssrf/hacker)

• Github disclosure such as employees' mailboxes and online server account passwords etc.

• CSRF key functions

• File upload cause phishing, storage XSS harm vulnerabilities

• Need strong interaction, multi-step interaction (two or more steps) to have a impact

• Domain name pointing error can be hijacked

LOW vulnerabilities

Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.

Examples of LOW vulnerabilities

• Reflected XSS

• Insensitive information disclosure from third-party platforms like Github.

• CSRF in non-critical business.

• Temporary file disclosure/Debug info disclosure

• Phpinfo

• Unchecked url-redirection

• Mail/SMS bombing

• Vulnerabilities depended on difficult scenarios or pre-conditions

• Insensitive .svn or .git disclosure

• "HTTP Host Header" XSS

> ## MOBILE VULNERABILITIES

Testing Scope and Categorisation

• All the apps of Miui 12 Global

• Important Business: MiHome, AI Sound, Xiaomi Shop, Application Store, Xiaomi Account, Xiaomi CloudService

• General Business: Other App of Xiaomi Inc.and App preinstalled in MIUI

Bounties for CRITICAL Vulnerabilities

| Business type | Bounty |

| ------------------ | ----------- |

| Important Business | $1500~$6000 |

| General Business | $700~$3000 |

Examples of CRITICAL vulnerabilities

• Severe logic vulnerabilities which could make user economic losses

• Obtain system root permission

• Remote command execution

• Bypass the permission to access the payment data or users’ authentication data on tee

• Bypass the security boot, such as SELinux

• A permanent denial-of-service attack is launched remotely to make the device unusable. It requires a refresh or double wipe to recover

Bounties for HIGH Vulnerabilities

| Business type | Bounty |

| ------------------ | ----------- |

| Important Business | $700~1500 |

| General Business | $300~700 |

Examples of HIGH vulnerabilities

• Remote access to most partial users sensitive information

• Need some interactive logic so that can lead to users' great loss

• Obtain system permission

• Bypass the lock screen on system-level(need test the latest development versions and universal can be reproduced)

• Bypass the authentication to access the sensitive data in TEE other than these mentioned in the major level

• Android or chromium vulnerabilities which are not fixed exceeding 6 months and hazardous(poc and exp)

• Important app remote permanent deny service

• Need to install malicious app to gain access to the victim app without interaction

• A permanent denial-of-service attack launched locally causes the device to be unusable and requires a refresh or double wipe to recover

• Launching a temporary denial of service attack remotely causes a remote downtime or reboot of the device

Bounties for MEDIUM Vulnerabilities

| Business type | Bounty |

| ------------------ | ----------- |

| Important Business | $150~$300 |

| General Business | $75~$150 |

Examples of MEDIUM vulnerabilities

• Hijacking cause some harm

• Interface logic vulnerability which can deceive users or fishing etc.

• Bypass lock screen on app level

• Need install malicious app to clone app in the lower Android native environment

• Need install malicious app to read users‘ sensitive information in the lower android native environment

• SQL injection of sensitive information in local App

LOW vulnerabilities

Please note that low severity vulnerabilities will be triaged accordingly and you will receive reputation points, but will be ineligible for bounty as per our reward structure.

Examples of LOW vulnerabilities

• App unsafe configuration

• Low risk information disclosure

• Vulnerability which can be exploited in a complex condition

• Application upgrade hijacked

• Need Physical contact ，specific scenarios，users’ cooperation to endanger the security of information

• Load arbitrarily url through exposed component to fishing

• Need install malicious app to read sensitive information but not users' information

• SQL injection of insensitive information in local App

• Raise other app components to open any address, open the file, but can't get the data by installing malicious app

• Browser address bar spoofing attack

• A temporary denial of service attack is launched locally to cause a remote downtime or reboot of the device, affecting system availability

> ## HARDWARE VULNERABILITIES

Testing Scope and Categorisation

• Accepted ranges of hardware in Xiaomi’s Program include Xiaomi and Mijia products.

• For hardware / IOT assets specifically not listed in the Scope section, please submit a vulnerability to “Other hardware assets”.

Bounties for HIGH Vulnerabilities

Reward: $4000-$1500

Examples of HIGH vulnerabilities

• Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through the Internet or near field non-contact.mode

• Unauthorized control over the target device via the Internet, or perform functions for unexpected purposes (such as broadcasting arbitrary video on TV, tampering with the camera to monitor video)

*Serious logic can cause large economic losses

Bounties for MEDIUM Vulnerabilities

Reward: $1500-$400

Examples of MEDIUM vulnerabilities

• Execute arbitrary code or obtain user privacy data (Video, audio, password, authentication key/token, network traffic) on the target device through LAN environment.

• Unauthorized control of the target device through LAN or near-field non-contact mode, or function effect for unexpected purpose (such as arbitrary video broadcast on TV, tamper with camera to monitor video)

Bounties for LOW Vulnerabilities

Reward: $400-$150

Examples of LOW vulnerabilities

• Implant malicious code or tamper with firmware into the target device by physically but without dismantling the device

• Denial-of-service (not including traffic and performance attacks) impact on the device via the Internet or LAN

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Design flaws and best practices that do not lead to security vulnerabilities

• Vulnerabilities that cannot be used to exploit other users or Xiaomi. Eg. Self-XSS/having a user paste JavaScript into the browser console/Unserviceable exposure of third-party API keys with no significant security impact

• Subdomain takeovers - Unable to prove it can be taken over

• Minimal security implications such as logout/Unauthenticated/Low-impact CSRF/Low-impact CRLF/Self-use CSRF /Low-impact clickjacking, low-impact UI redressing/misconfiguration that lead to CORS but without any information leak

• Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data disclosure.

• Session not invalidated after logout

• Insensitive disclosure information such as:

  • Error message: Software version/IP

  • Uploaded file cannot be parsed

  • Vulnerabilities that can only be reproduced by certain low-level IE browsers

  • HTTP codes/pages or,other HTTP non- codes/pages etc/insensitive information files

  • Public links, such as social media profile pictures, live videos, etc

• Reflected file download attacks

• SSRF vulnerability that cannot obtain the relevant server information of the Intranet, but simple accessed dns log without any impact

• Misconfigurations such as:

  • DNS issues (i.e. mx records, SPF records, etc.)

  • Reports of insecure SSL/TLS ciphers(unless you have a working proof of concept, and not just a report from a scanner)

  • Presence of autocomplete attribute on web forms

  • Mixed content warnings

  • Missing security-related HTTP headers which do not lead directly to a vulnerability

(Mobile) Code security and user data storage

• Absence of certificate pinning

• Sensitive data in URLs/request bodies when protected by TLS

• User data stored unencrypted on external storage (Except for APP logs with sensitive information or user data for which encryption has been promised)

• Lack of obfuscation is out of scope

• OAuth & App secret hard-coded/recoverable in APK

• Any kind of sensitive data protected by the APP private directory

• Lack of binary protection control in android app

• APP setting allowbackup:True

(Mobile) Local DoS attacks with limited impact

• Sending malformed intents to the exported component causes the APP to crash only

• Browser crashes due to excessive resource requests

• Local DoS attacks that users can resolve by restarting the browser

(Mobile) Others

• Any data leak because the malicious APP has acquired the appropriate permissions

• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

• Spoofing vulnerability with less deceptive

• Attacks that are only available in lower versions of Android

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If you have any suggestions for our program, please send us an email at security@xiaomi.com to give us feedback. If the suggestions are adopted, Xiaomi Security will send you an extra reward on your report.

Thanks for keeping Xiaomi and our customers secure!

FAQ

• Will Xiaomi secretly fix the neglected vulnerability？

Absolutely not ! If the neglected vulnerability is fixed, it may be the change of business itself that leads to the repairement of the vulnerability, rather than Xiaomi ignoring hackers' reports and fixing it.