Update date: January 27, 2022
This program is applicable to all assets of ZTE Corporation and its subsidiaries (with 50% owned by ZTE Corporation).
1. Vulnerability Bounties and Rating Standards
1.1 Vulnerability Bounties
According to the severity, vulnerabilities are divided into four levels: [Critical], [High], [Medium], and[Low]. The bounties for each level are as follows:
1.2 Vulnerability Rating Standards
1) Vulnerabilities that can be used to directly obtain the OS permissions of asset, including but not limited to: arbitrary command execution, multi-channel Getshell, remote code execution, and buffer overflow, etc.;
2) Vulnerabilities that can directly lead to the disclosure of a large number of users' personal private information or ZTE's confidential information, including but not limited to SQL injection (excluding credential-stuffing attack and brute-force attack);
3) Vulnerabilities that can be used to obtain host command execution permission through virtual machine escape.
4) Vulnerabilities that can lead to Intranet roaming.
1) Vulnerabilities that directly cause a large number of information leaks, such as general system SQL injection;
2) Stored XSS vulnerabilities that can be used to obtain the login information of the administrator of the target system and successfully log in to the management background of the target system, or can construct worms and affect mass users;
3) Logical vulnerabilities that directly cause serious impacts, including but not limited to： changing the password of any account, obtaining the operation permissions of the background management system, and obtaining sensitive service information in batches;
4) Broken access control, including but not limited to: bypassing authentication to access the background management system, and obtaining documents that can only be downloaded by administrators;
5) Arbitrary file read vulnerabilities that can cause the database to be dragged by obtaining the database connection information;
6) Vulnerabilities that can directly access or invoke important internal services or interfaces;
7) Vulnerabilities that cause the core system DoS, system breakdown, or BSOD;
8) Vulnerabilities that can be used to obtain system permissions, such as general system command execution, getshell, buffer overflow or weak password of administrator, etc.;
9) Vulnerabilities that can cause intranet roaming;
1) Vulnerabilities that require user interaction to obtain user sensitive data, such as Reflected XSS that can obtain user information, stored XSS for general pages, etc.;
2) Logical vulnerabilities or broken access control vulnerabilities that can only cause non-sensitive business data breach;
3) Vulnerabilities that can bypass security controls to generate a lot of junk data and affect the normal use of users;
4) Vulnerabilities that can change system logs or application system logs;
5) Arbitrary file read vulnerabilities or XXE vulnerabilities that cannot cause serious impact;
6) The unauthorized access vulnerabilities that can leak out interface information or database query information, such as druid or swagger UI;
7) Vulnerabilities that can abuse general services or tamper with non-core data;
8) CSRF vulnerabilities of core business pages;
9) SQL injection vulnerabilities that have a small amount of data and cannot directly obtain system permissions.
10) Weak passwords of employees that cannot bypass the two-factor authentication mechanism.
4) Vulnerabilities that can be used to bypass SMS or graphical verification codes to blast account;
5) SQL injection vulnerabilities that cannot arbitrarily obtain database data;
6) Slight information leak vulnerabilities, such as website directory traversal, IIS short file name, SVN information leak, security log leak, phpinfo and tomcat sample file leak, Django enabling debug mode, workspace.xml file leak, etc.;
1.3 No Reward Scope
1) Vulnerabilities on assets that are not listed in the bounty program shall not be rewarded (vulnerabilities with great impact may be evaluated exceptionally);
2) Software defects that are irrelevant to security, such as the web page cannot be opened, the web page is garbled, the web page response is slow, and the proxy pool and other technologies are used to bypass the authentication and verification restrictions by changing the restricted objects;
3) If multiple persons or the same person submits repeated vulnerabilities, those who first submit and clearly describe the vulnerabilities and reproduce the vulnerability report are regarded as valid, and others will not be rewarded. No reward shall be given for the vulnerabilities that already published on the network;
4) No reward shall be given for the open source and third-party vulnerabilities that affect the ZTE Web application system (the vulnerabilities that have a greater impact can be assessed exceptionally, and the reward amount will be lower than the original vulnerabilities of the same level);
5) Any non-sensitive information leak, such as website code abnormal information leak, intranet IP addresses leak, email addresses leak, or tomcat sample files leak；
6) Arbitrary file upload vulnerabilities that the uploaded files cannot be parsed;
7) Vulnerabilities that can only be proved its existence but the way of exploitation is not published or it cannot be exploited directly;
8) By version comparison, the vulnerability is considered to exist but the proof of vulnerability exploitation cannot be provided;
9) There has no proof that scanning results indicating actual hazards;
10) Vulnerabilities that can only traverse static files on the website;
11) Vulnerabilities such as DDoS, clickjacking, the web applications do not enable the https, mailbox bombing, and Weak password vulnerabilities of registered users, etc.;
12) The unsafe coding problems of fishing effect caused by complex way.
13) Arbitrary user registration vulnerabilities;
14) Arbitrary URL redirect vulnerabilities that can be used to redirect to other domain names by modifying the url;
15) Reflective XSS and CSRF vulnerabilities that cannot obtain sensitive information or permissions;
16) Session fixation;
17) Logical vulnerabilities that do not have serious impact, such as forum brushing, obtaining forum virtual currency, and increasing virtual points;
18) Logical vulnerabilities or broken access control vulnerabilities that can only cause data breach that can be accessed by registered users;
2. Report Requirements
In order to reproduce the vulnerability, your report must contain a detailed vulnerability description and a complete POC or Exploit.
2.1 Report description requirements
1) Vulnerability description, which needs to include the vulnerability types, the causes, the methods of exploitation, and the potential risks;
2) Affected domain name and specific vulnerability location;
3) Describe the detailed steps required for reproducing the vulnerability by using texts, screenshots, graphics, etc. Describe the reproducing process step by step (recommend to submit a vulnerability reproduction video).
2.2 POC or Exploit requirements
1) Provide a complete and compilable POC or Exploit. The POC or Exploit can be used to successfully verify the reported vulnerability;
2) Compilation and running environment description, including: compiler name, compiler version, compilation options, operating system version, and other necessary information;
3) The running result of POC or Exploit should be consistent with that described in your report.
Please ensure that your submission does not involve intellectual property issues, and does not contain the contents prohibited by law or religion.
We strongly suggest you report ZTE-related security vulnerabilities to ZTE PSIRT (firstname.lastname@example.org) and use our PGP public key（key ID：FF095577） to encrypt the sensitive information.
3. Legal Information
Participating in the bug bounty program and reporting to ZTE shall not involve any illegal activities:
1)You can only exploit, investigate, or attack vulnerabilities of your own accounts or devices;
2)Your testing activities shall not bring negative impacts on the availability or performance of ZTE's products or services, and shall not interrupt ZTE's online business, or attack ZTE's internal or external servers, or cause damage to data or physical assets;
3)You shall not download sensitive service data during the test process, including but not limited to: source code or users’ personal data, etc. The information shall not be used, disclosed, stored, or recorded in any way. If there is an unknown download behavior, in-time feedback, and explanation shall be made and the file shall be deleted;
4)Without ZTE's prior written consent, it is prohibited to disclose any details about the vulnerabilities of ZTE's products or services (including any third party other than you);
5)The obtained data by vulnerability of SQL injection or privilege escalation shall not exceed 5 pieces;
6)Do not generate a large amount of data traffic by automatic scanning by software or tools;
7)Do not make invasion attempts by phishing attacks or social engineering, etc.;
8)Do not intentionally make and spread malicious programs such as computer viruses;
9)Do not infringe any third party rights (including intellectual property rights);
10) You shall not be an employee or outsourced employee or contractor of ZTE Corporation and its subsidiaries, or an immediate family member of an employee or outsourced employee or contractor.
4. Reward Payment
1)The rewards amount ranges from $15 to $1500 for qualified vulnerabilities. Each vulnerability will be rewarded based on the severity, complexity of attack, impact scope, and report quality;
2) The reproduced vulnerabilities will be rewarded through ZTE Corporation bank account transfer. In order to complete the bounty payment, we need to collect your nationality, city, real name, mobile phone number, ID card number, family or company address, bank card number, name of the deposit bank, and bank SWIFT code, etc. We promise you that the collection of these information will only be used for our payment and will not be used for other purposes.?
3) In order to comply with applicable tax-related legal requirements, we?have?withheld and paid personal income tax when paying you bonus.
5. Dispute Resolution
In the process of handling vulnerabilities, if the reporter has objections to the handling process, vulnerability assessment or vulnerability scoring, please send email to email@example.com, our staffs will answer your questions as soon as possible.
1) We will regularly update the list of products/services included in the reward scope;
2) Irrelevant security questions submitted will not be answered and processed, and the response time during holidays will be delayed;
3) This bug bounty program shall come into force from the date of issuance. ZTE owns the full right to determine the severity level, the reward amount and the payment process. ZTE also remains the rights to suspend the bug bounty program at any time;
4) ZTE PSIRT has the final right to interpret all the above terms.
7. Revision Record
V1.0 2020.9.19 initial release
V1.1 2020.10.30 Updated the amount of the reward
V1.2 2020.11.16 Updated the reward range
V1.3 2021.3.16 Updated Vulnerability Rating Standards
V1.4 2021.4.19 Updated Vulnerability Rating Standards
V1.5 2022.1.27 Updated the amount of the reward, the reward range，vulnerability rating standards, no reward scope, legal information, etc.