UPDATE [5 June 2020] - Securing TencentOS: With bounties up to USD$140,000!
Tencent is formally launching a special project that focuses on Tencent’s own
server and IoT operating system. This project will last throughout the year
and the maximum bounty for a single vulnerability will be up to USD$140,000.
Duration: Starting from 8 June 2020 09:00 (GMT+8) to 31 December 2020 23:59
For the specific in-scope assets, rules of engagement, reward amounts and
assessment guidelines, please refer to the "Securing TencentOS" Announcement
hosted on TSRC
. You are
to submit your reports to TSRC directly via this link
Good luck and we look forward to working with you to enhance our security!
To expand its community of researchers and recruit global talent, Tencent
is partnering HackerOne to run its Bug Bounty Program.
Please note that the program will be externally hosted on the Tencent
Security Response Centre (TSRC)
and Tencent will only be
accepting report submissions through the TSRC platform. Rewards offered on
TSRC are entirely driven and decided by Tencent.
If you believe you have discovered a vulnerability, kindly disclose to Tencent
responsibly and we’ll work with you to ensure we remediate the issue to the
best of our ability. We look forward to working with the community to find
vulnerabilities in order to keep our businesses and customers safe.
Submitting Vulnerability Reports
- Before reporting a vulnerability, please ensure you read our TSRC Bug Bounty Program policy page which details the following:
- Rules of Engagement
- Rewards Structure and Evaluation Criteria
- In-Scope and Out-of-Scope Assets
- Out-of-Scope Vulnerabilities
- Click here to report a vulnerability on TSRC and provide details of your finding.
- You don’t need to sign in/have an account to report and can easily log into TSRC with your twitter/Facebook/Google+ account.
- You must fill out your profile on TSRC website and provide Tencent the necessary information, especially your HackerOne username and the email that is tied to it.
- We will review your report on TSRC within 1-3 working days
- If your report is valid, we will set it as “Triaged” and inform you of next steps.
Bounty Payouts and Hacker Reputation Points
- Bounty payouts for eligible reports will be done through HackerOne. Researchers will require a HackerOne account to receive the bounty.
- Researchers will be requested to provide Tencent the necessary information such as email and HackerOne ID when creating a profile on TSRC.
- Researchers with existing HackerOne account: Researchers must provide the email that is tied to their existing HackerOne username
- Researchers will receive a notification from HackerOne to claim a bounty
- Researchers without an existing HackerOne account: Researchers must provide an email address which will be used to claim the bounty on HackerOne.
Note that upon the bounty payout, you will continue to receive your
HackerOne reputation points (+7 points per report, and additional points based
on the severity) and updates to your stats.
You may find more information and instructions about bounty payouts here
For any questions or clarifications, you may contact the Tencent Security Team
This program have been found on Hackerone on 2020-07-21.