Event
- We are happy to announce that we are having an event from 1st to 31st April 2024 and we will provide 1.5x the reward for valid Critical Scope (Hardware Devices) reports. Looking forward all of your participation. Good luck and Happy hunting!
About
EZVIZ
- Established in 2013, EZVIZ dedicates itself to create a safe, convenient and smart life for worldwide users through our IoT Products, advanced technologies and cloud services.
Program Rules
Thank you for your interest in EZVIZ bug bounty program.
- We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our Products or Services.
- If you believe you've found a security bug relating to us, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Reward Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of EZVIZ, however only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below).
- "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must avoid tests that could cause degradation or interruption of our service systems (refrain from using automated tools, and limit yourself about requests per second).
- You must not leak, manipulate, or destroy any user data.
- You must not be a former or current employee of EZVIZ or one of its contractors.
- Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
- No vulnerability disclosure, including partial is allowed.
Testing Policy
Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the security or privacy of our users.
- Avoid tests that could cause degradation or interruption of our service systems.
- Do not use automated scanners or tools that generate large amount of network traffic.
- Do not leak, manipulate, or destroy any user data or files in any system.
- Do not copy any files from the system or disclose them.
In Scope
Scope Type |
Scope Name |
web_application |
Hardware found on https://www.ezviz.com/category/security-wifi-cameras |
web_application |
Hardware found on https://www.ezviz.com/category/smart-home |
web_application |
i.ys7.com |
web_application |
open.ys7.com |
web_application |
auth.ys7.com |
web_application |
api.ys7.com |
web_application |
api.ezvizlife.com |
web_application |
usauth.ezvizlife.com |
web_application |
ius.ezvizlife.com |
web_application |
*.ys7.com |
web_application |
.eziot.com |
web_application |
*.guardingvision.com |
web_application |
*.hicloudcam.com |
web_application |
*.shipin7.com |
web_application |
*.hik-connect.com |
web_application |
*.hikops.com |
Out of Scope
Scope Type |
Scope Name |
web_application |
scc-chat.ys7.com |
web_application |
Test environment (for example: test.ys7.com) |
web_application |
Pre-release environment (for example: pb.ys7.com) |
This policy crawled by Onyphe on the 2023-08-16 is sorted as bounty.