Announcements

Dear Hunters,

Thank you for your passion and dedication to our bug bounty program. We would like to let you know that our internal evaluation team will not be fully staffed during the Chinese New Year season. We will continue to collect your reports, but we will suspend evaluation until February 6th. After that, we will resume processing reports, and it may take a few days to respond to your findings.
Please be assured that we will evaluate all reports and continue to maintain the program.

Have a great Chinese New Year!
Ezviz Security Team

About

EZVIZ

• Established in 2013, EZVIZ dedicates itself to create a safe, convenient and smart life for worldwide users through our IoT Products, advanced technologies and cloud services.

Program Rules

Thank you for your interest in EZVIZ bug bounty program.

• We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our Products or Services.
• If you believe you've found a security bug relating to us, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Vulnerability Classification

Critical Vulnerabilities

1. Ability to access any user's camera for live video streaming or playback.
2. Full access to the database of core applications.
3. Direct vulnerabilities to obtain core system permissions, including but not limited to:
   • Command injection
   • Remote command execution
   • Web shell upload
   • SQL injection leading to system permissions
   • Buffer overflows (including exploitable ActiveX buffer overflows)
   • Remote kernel code execution vulnerabilities
   • Other remote code execution vulnerabilities caused by logic flaws (assessed based on the confirmed permissions obtained).
4. Severe information leaks, including but not limited to:
   • SQL injection vulnerabilities in core databases
   • Exposing three or more sensitive information fields
   • Affecting a significant amount of data (≥100,000 records).
   • If not meeting these thresholds, scoring will be adjusted based on the actual scenario.
   • Sensitive fields: Personal names, ID numbers, addresses, contact information, bank account numbers, full transaction details, etc.
5. Major logic design flaws, including but not limited to:
   • Arbitrary account login
   • Password reset
   • Unauthorized financial transactions
   • Payment processing issues.

High-Risk Vulnerabilities

1. Vulnerabilities that directly provide general system permissions, including but not limited to:
   • Command injection
   • Remote command execution
   • Web shell upload
   • SQL injection leading to system permissions
   • Buffer overflows (including exploitable ActiveX buffer overflows)
   • Remote kernel code execution vulnerabilities
   • Other remote code execution vulnerabilities caused by logic flaws (assessed based on the confirmed permissions obtained).
2. Sensitive information leaks, including but not limited to:
   • SQL injection vulnerabilities in non-core databases
   • Exposing three or more sensitive information fields
   • Affecting a significant amount of data (≥10,000 records).
   • If not meeting these thresholds, scoring will be adjusted based on the actual scenario.
   • Sensitive fields: Personal names, ID numbers, addresses, contact information, bank account numbers, full transaction details, etc.
3. SSRF vulnerabilities that allow direct access to the internal network with complete response feedback.
4. Privilege escalation, including but not limited to:
   • Unauthorized modifications of important information
   • Bypassing authentication to access administrative backends
   • Modifying critical business configurations (evaluated based on actual business scenarios).

Medium-Risk Vulnerabilities

1. Vulnerabilities enabling the direct theft of user identity information, including:
   • Stored XSS vulnerabilities on critical pages
   • SQL injection vulnerabilities on standard websites.
2. Unauthorized access, including but not limited to:
   • Bypassing restrictions on normal interfaces to modify user data
   • Performing user operations
   • Weak administrative passwords (evaluated based on actual business scenarios).
3. Ordinary information leaks, including but not limited to:
   • Internal source code package leaks
   • Cloud platform key exposure
   • Vulnerabilities with proven exploitability and significant impact
   • Leaking a certain amount of personal sensitive information (scored based on actual scenarios).
4. Exploitable communication protocol vulnerabilities or business logic flaws with some level of impact.

Low-Risk Vulnerabilities

1. Vulnerabilities requiring user interaction to obtain identity information, including but not limited to:
   • Reflected XSS (including reflected DOM-XSS)
   • JSON hijacking
   • CSRF in sensitive operations
   • Stored XSS in standard business processes.
2. Minor logical design flaws, including but not limited to:
   • Bypassing SMS verification codes
   • Email verification bypass
   • Brute-forcing SMS codes
   • SMS bombing.
3. Minor information leakage vulnerabilities, including but not limited to:
   • Internal system source code leaks on GitHub
   • phpinfo leaks
   • Logcat-sensitive information leaks
   • Correct internal account credentials.
4. Hard-to-exploit issues that may pose potential security risks, including but not limited to:
   • Self-XSS
   • CSRF for non-critical operations
   • File parsing vulnerabilities.
5. Minor unauthorized access vulnerabilities, including but not limited to:
   • Unauthorized operations on non-core functional interfaces (evaluated based on actual business scenarios).

No Impact

1. Non-security-related bugs, such as:
   • Webpage garbling
   • Functional defects
   • Styling issues.
2. Non-exploitable "vulnerabilities," including but not limited to:
   • Scanner reports with no practical significance (e.g., low-version web servers)
   • Self-XSS
   • HTML Injection
   • JSON hijacking without sensitive data
   • CSRF without sensitive operations
   • Meaningless source code leaks
   • Internal IP/domain leaks
   • Logcat information leaks without sensitive data.
3. Low-risk or hard-to-exploit vulnerabilities, such as:
   • PDF XSS
   • URL redirection
   • Email bombing
   • SSRF that cannot access internal networks
   • Username enumeration
   • Concurrent requests affecting insignificant data (e.g., page views, sign-up numbers, unimportant likes/ratings)
   • Meaningless API key leaks
   • Command execution vulnerabilities providing only dnslog feedback.
4. Other issues not directly demonstrating a vulnerability, including user speculation.
5. Non-reproducible vulnerabilities confirmed by YSRC personnel as irreproducible.
6. Previously known vulnerabilities that will be ignored, with the submitter informed via the submission platform.
7. Non-business-related vulnerabilities not affecting core products or caused by non-core product security issues.
8. Vulnerabilities in test, pre-release, or private cloud demo environments (e.g., domains starting with t, test, pb, etc.) unless proven to affect production environments.
9. Local denial-of-service vulnerabilities in mobile clients, including those caused by component permissions.

Reward Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of EZVIZ, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability (see below).
• "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service systems (refrain from using automated tools, and limit yourself about requests per second).
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of EZVIZ or one of its contractors.
• Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
• No vulnerability disclosure, including partial is allowed.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the security or privacy of our users.

• Avoid tests that could cause degradation or interruption of our service systems.
• Do not use automated scanners or tools that generate large amount of network traffic.
• Do not leak, manipulate, or destroy any user data or files in any system.
• Do not copy any files from the system or disclose them.