Ezviz - Bug Bounty Program
Established in 2013, EZVIZ dedicates itself to creating a safe, convenient and smart life for users through its intelligent devices, advanced AI technologies and cloud services.
Reward
Program
Hacktivity
About
EZVIZ
- Established in 2013, EZVIZ dedicates itself to create a safe, convenient and smart life for worldwide users through our IoT Products, advanced technologies and cloud services.
Program Rules
Thank you for your interest in EZVIZ bug bounty program.
- We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our Products or Services.
- If you believe you've found a security bug relating to us, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Reward Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of EZVIZ, however only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below).
- "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must avoid tests that could cause degradation or interruption of our service systems (refrain from using automated tools, and limit yourself about requests per second).
- You must not leak, manipulate, or destroy any user data.
- You must not be a former or current employee of EZVIZ or one of its contractors.
- Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
- No vulnerability disclosure, including partial is allowed.
Testing Policy
Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the security or privacy of our users.
- Avoid tests that could cause degradation or interruption of our service systems.
- Do not use automated scanners or tools that generate large amount of network traffic.
- Do not leak, manipulate, or destroy any user data or files in any system.
- Do not copy any files from the system or disclose them.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
$100 | $500 | $1,000 | $3,000 | |
$15 | $100 | $600 | $1,400 | |
$10 | $50 | $300 | $700 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
Hardware found on https://www.ezviz.com/category/security-wifi-cameras | other | ||
Low Medium High Critical | |||
Hardware found on https://www.ezviz.com/category/smart-home | other | ||
Low Medium High Critical | |||
i.ys7.com | web-application | ||
Low Medium High Critical | |||
open.ys7.com | web-application | ||
Low Medium High Critical | |||
auth.ys7.com | web-application | ||
Low Medium High Critical | |||
api.ys7.com | web-application | ||
Low Medium High Critical | |||
api.ezvizlife.com | web-application | ||
Low Medium High Critical | |||
usauth.ezvizlife.com | web-application | ||
Low Medium High Critical | |||
ius.ezvizlife.com | web-application | ||
Low Medium High Critical | |||
*.ys7.com | web-application | ||
Low Medium High Critical | |||
.eziot.com | web-application | ||
Low Medium High Critical |
Out of scopes
- scc-chat.ys7.com
- Test environment (for example: test.ys7.com)
- Pre-release environment (for example: pb.ys7.com)
Vulnerability types
Qualifying vulnerabilities
- SQL Injection (SQLi)
- Horizontal and vertical privilege escalation
- Business logic vulnerabilities with real security implications
- Authentication bypass & broken authentication
- Code injection (HTML, JS, SQL, PHP, ...)
- Remote Code Execution (RCE)
- Local file access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Insecure Direct Object References (IDOR)
- Overflow-type vulnerabilities that can cause the device to crash
- Vulnerabilities that can lead to the disclosure of truly sensitive information on the device
Non-qualifying vulnerabilities
- Lack of expiration on auth tokens
- Vulnerabilities affecting outdated browsers - we only consider reports in the latest stable browser versions for Safari, Firefox, Chrome, Edge, IE
- Known CVEs without working PoC
- Denial of Service (DoS) attacks
- Self XSS
- "HTTP Host Header" XSS
- Missing cookie flags
- Mixed content warnings
- Lack of HTTP security headers (CSP, X-XSS, etc.)
- SSL/TLS best practices
- No rate-limiting enforced
- Clickjacking/UI redressing
- Software version disclosure
- Stack traces, path disclosure, directory listings, etc
- Physical or social engineering attempts like phishing
- Recently disclosed 0-day vulnerabilities
- Presence of autocomplete attribute on web forms
- Issues that require physical access to a victim's computer/device
- Logout and other instances of low-severity CSRF
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Reports from automated web vulnerability scanners (Acunetix, Vega etc) that has not been validated
- Incomplete or missing SPF/DKIM/DMARC on mail servers
- Security best practices without real security impact
- Attacks requiring MITM or physical access to a user's device (Exempted for Hardware Vulnerabilities)
- Enumeration/account oracles: possibility to enumerate phone numbers, emails, GUID etc and receive indication that it exists
- Issues caused by 3rd party libraries
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
Hunting requirements
Account access
Ezviz devices
There are no credentials to be provided as this is a blackbox test.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.