Update date: June 13, 2022
This program includes the following products of ZTE:
1. Vulnerability Bounties and Rating Standards
1.1 Vulnerability Bounties
Rewards are determined according to the impact (severity, influence, score,etc.) of the vulnerability on the product and the clarity of the vulnerability report.
1.2 Vulnerability Rating Standards
1) Vulnerabilities that can be used to directly obtain the permissions of the core systems (management and control systems that can manage a large number of servers such as core control systems, domain control systems, service distribution systems, bastion hosts, firewalls, etc.) or the core servers, including but not limited to: upload web shell, arbitrary code execution, remote command execution, parse-server vulnerabilities, file inclusion vulnerabilities, remote buffer overflow, Virtual machine escape, or SQL injection to obtain system permissions;
2) Serious information leak vulnerabilities of core systems, including but not limited to: SQL injection of core DB, important sensitive information leak of a large number of users (Including at least three of the following sensitive fields: Name/ID card, bank card information, phone number/ email, password, and address), internal core data breach of enterprises, or configuration data and log data of core equipment;
3) Serious logical design error or process defect of core system, including but not limited to: Modification in batches of arbitrary account password vulnerability, fund consumption of arbitrary account and payment vulnerability for arbitrary amount modification, etc., that cause great losses to users and companies;
4) Vulnerabilities that can remotely cause permanent and serious impact on the availability of core systems and core servers, including but not limited to: the DoS vulnerabilities that directly cause the breakdown of the core system services and core servers.
1) Vulnerabilities that can be used to directly obtain the permissions of important service servers, including but not limited to: upload webshell, arbitrary code execution, and arbitrary command execution, parse-server, file inclusion, remote buffer overflow, or SQL injection;
2) Vulnerabilities that directly lead to important information leak, including but not limited to: SQL injection vulnerability of important DB, file traversal, arbitrary file read, and leak of a large number of source code or compressed packages of important services;
3) Vulnerabilities that affect users in a wide range, including but not limited to: stored XSS that can cause automatic propagation of core services, stored XSS that can obtain administrator authentication information and can successfully exploit, CSRF that can cause worms, XSS vulnerabilities of important client products that can obtain sensitive information or perform sensitive operations;
4) Serious broken access control, including but not limited to: weak passwords or bypassing authentication to access important background management system, stealing users' important identity information in batches, obtaining permissions of ordinary mobile clients in remote mode, and executing arbitrary commands and code;
5) Serious logical design error or process defects, such as arbitrary password reset vulnerability of important systems;
6) Vulnerabilities that can remotely cause permanent and serious impact on the availability of important service systems and important servers, including but not limited to: the DoS vulnerabilities that directly cause the breakdown of important system services and servers.
1) Vulnerabilities that require interaction to obtain user identity information, including but not limited to: CSRF for important sensitive operations and stored XSS for common services;
2) Serious information leak, including but not limited to: SQL injection that can obtain insensitive data, SSRF vulnerability without echo reply, leak of source code or compression packages that contain sensitive information (such as DB connection passwords), leak of sensitive authentication keys stored locally ( effective use is required), etc.;
3) Common broken access control, including but not limited to: bypassing restrictions on access to non-important background management system, incorrect direct object references, bypassing restrictions on user data modification, performing user operations, reading user information, and tampering of Non-Key Services;
4) Common logical design error, including but not limited to: vulnerabilities caused by the successful blasting of system sensitive operations such as verification code logic errors that cause arbitrary account login and arbitrary password retrieval, password reset or account login through four-digit verification code blasting, and unlimited SMS sending, etc.;
5) Arbitrary file operation vulnerabilities, including but not limited to: arbitrary file read/write/delete/download operations, arbitrary file upload, such as uploading html that causes stored XSS.
1) XSS vulnerabilities, including but not limited to: reflected XSS (including DOM XSS and Flash XSS), Json Hijacking, stored XSS for common services, etc.;
2) Broken access control with limited harm.
1.3 No Reward Scope
The following attacks are excluded from the scope of our bug bounty program:
1) Vulnerabilities other than those models listed in the bounty program shall not be rewarded (except for the vulnerabilities that have a great impact);
2) Software functionality errors that have no security impact;
3) Slight information leak, including but not limited to: absolute path leak, phpinfo, svn/cvs information leak, Web directory traversal, system path traversal, directory browsing, local log with some sensitive information, etc.;
4) Vulnerabilities that have potential security risks but are difficult to exploit, including but not limited to: sensitive security vulnerabilities that require continuous user interaction, SQL injection points that are difficult to exploit, and local denial of service on the client;
5) Unexploitable vulnerabilities, including but not limited to a scanning report without proof of harm, CSRF without sensitive operations, meaningless source code leak, and Intranet IP address/domain name leak;
6) Some problems that cannot directly reflect the existence of vulnerabilities, including but not limited to problems that are speculated subjectively by users;
7) Vulnerabilities that have already known or been disclosed online;
8) Vulnerabilities found by testing a mobile phone with the developer mode enabled;
9)Traversing mobile phone numbers to send messages, or traversing user names (mailbox) to determine whether they have been registered, or have mailbox bombing, or escalate privilege without significance;
10) Email spoofing;
11) URL jump vulnerabilities;
12) Any forms of social engineering attacks;
13) Low-Impact Local DoS Attacks;
14) Temporary denial of service attacks cause the system to hang or restart the device (the vulnerabilities that cause the service process to hang or exit abnormally can be assessed exceptionally);
15) All brute force denial-of-service attacks;
16) Any attacks which cause the device permanently inoperable;
17) Scenarios with excessive user interactions or tricking users like phishing or clickjacking;
18) Reports based on information obtained through illegal access of ZTE's confidential information;
19) Full or partial path disclosure except when a real security impact can be demonstrated;
20) If there are multiple submitters for the same vulnerability, only the first submitted report will get the reward and credits. And if the patch for a vulnerability is already under drafting, the report will also be regarded as invalid;
21) No reward shall be given for open-source and third-party vulnerabilities that affect ZTE equipment (the vulnerabilities that have a greater impact can be assessed exceptionally, and the reward amount lower than the original vulnerabilities of the same level).
2. Report Requirements
In order to reproduce the vulnerability, your report must contain a detailed vulnerability description and a complete POC or Exploit.
2.1 Report description requirements
1) Vulnerability description, which needs to include the vulnerability types, the causes, the methods of exploitation, and the potential risks;
2) Affected product or service name, module name, detailed version information, and specific vulnerability location;
3) Describe the detailed steps required for reproducing the vulnerability by using texts, screenshots, graphics, etc. Describe the reproducing process step by step (recommend to submit a vulnerability reproduction video).
2.2 POC or Exploit requirements
1) Provide a complete and compilable POC or Exploit. The POC or Exploit can be used to successfully verify the reported vulnerability;
2) Compilation and running environment description, including: compiler name, compiler version, compilation options, operating system version, and other necessary information;
3) The running result of POC or Exploit should be consistent with that described in your report;
A vulnerability report should include the detailed vulnerability description, proof of harm, and POC. Reports that are too simple or have no proof of harm will be degraded or ignored.
Please ensure that your submission does not involve intellectual property issues, and does not contain the contents prohibited by law or religion.
We strongly suggest you report ZTE-related security vulnerabilities to ZTE PSIRT (firstname.lastname@example.org) and use our PGP public key（key ID：FF095577） to encrypt the sensitive information.
3. Legal Information
The following rules should be followed for your participation in our bug bounty program and reporting vulnerabilities to us:
1) You shall only exploit, investigate or attack vulnerabilities within your own accounts or devices;
2) Your testing activities must not negatively impact the availability or performance of ZTE's products or services, break ZTE online service, attack ZTE's internal or external servers, nor cause damage of data or physical assets;
3) Do not download sensitive service data during the test, including but not limited to source code or users’ personal data, etc. The information must not be used, disclosed, stored, or recorded in any form. If unknown download happens, an timely feedback and explanation shall be made and the file shall be deleted;
4) Without ZTE's written approval, do not disclose any details about the security vulnerabilities of ZTE's products or services to any third party;
5) Do not intentionally making and spreading malicious programs such as computer viruses;
6) Do not infringe any third party's rights (including intellectual property rights);
7) You are not an employee or outsourced employee or contractor of ZTE and its subsidiaries, or an immediate family member of an employee or outsourced employee or contractor of ZTE.
If you use the security test as an excuse to exploit the vulnerability information to damage user interests, affect normal service operations, or steal user data, which causes us losses or violates laws and regulations, ZTE Corporation reserves the right to pursue legal responsibilities.
4. Reward Payment
1) The rewards amount ranges from CNY200 to CNY60,000 for qualified vulnerabilities. Each vulnerability will be rewarded based on the severity, complexity of attack, impact scope, and report quality;
2) The reproduced vulnerabilities will be rewarded through ZTE Corporation bank account transfer. In order to complete the bounty payment, we need to collect your nationality, city, real name, mobile phone number, ID card number, family or company address, bank card number, name of the deposit bank, and bank SWIFT code, etc. We promise you that the collection of these information will only be used for our payment and will not be used for other purposes;
3) In order to comply with applicable tax-related legal requirements, we have withheld and paid personal income tax when paying you bonus.
5. Dispute Resolution
In the process of handling vulnerabilities, if the reporter has objections to the handling process, vulnerability assessment or vulnerability scoring, please send email to email@example.com,
our staffs will answer your questions as soon as possible.
1) We will regularly update the list of products/services included in the reward scope;
2) Irrelevant security questions submitted will not be answered and processed, and the response time during holidays will be delayed;
3) This bug bounty program shall come into force from the date of issuance. ZTE owns the full right to determine the severity level, the reward amount and the payment process. ZTE also remains the rights to suspend the bug bounty program at any time;
4) ZTE PSIRT has the final right to interpret all the above terms.
7. Revision Record
V1.0 2020.9.19 initial release
V1.1 2020.10.19 Updated the scope of products participating in the bug bounty program
V1.2 2020.10.30 Updated the amount of the reward
V1.3 2020.12.11 Updated the scope of products participating in the bug bounty program
V1.4 2021.1.15 Updated the scope of products participating in the bug bounty program
V1.5 2021.4.15 Updated the amount of the reward
V1.6 2021.4.26 Updated the scope of products participating in the bug bounty program
V1.7 2021.8.6 Updated the scope of products participating in the bug bounty program
V1.8 2022.1.27 Updated the amount of the reward, the reward range，vulnerability rating standards, no reward scope, legal information, etc.
V1.9 2022.6.13 Updated the scope of products participating in the bug bounty program