avatar
Bug bounty
Public

Ezviz - Bug Bounty Program

Established in 2013, EZVIZ dedicates itself to creating a safe, convenient and smart life for users through its intelligent devices, advanced AI technologies and cloud services.

Reward

Bounty
Hall of fame
$0
Low
$300
Medium
$1,000
High
$2,500
Critical
$5,000

Program

Avg reward
-
Max reward
-
Scopes
13
Supported languages
English
Chinese

Hacktivity

Reports
444
1st response
< 3 days
Reports last 24h
2
Reports last week
36
Reports this month
61

About

EZVIZ

  • Established in 2013, EZVIZ dedicates itself to create a safe, convenient and smart life for worldwide users through our IoT Products, advanced technologies and cloud services.

Program Rules

Thank you for your interest in EZVIZ bug bounty program.

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our Products or Services.
  • If you believe you've found a security bug relating to us, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery

Reward Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of EZVIZ, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service systems (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of EZVIZ or one of its contractors.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed.

Vulnerabilty Classification

Critical Vulnerabilities

  1. Vulnerabilities that directly obtain core system permissions. Including but not limited to:
    (Able to obtain any user’s real-time camera video and playback; able to obtain full database permissions of core applications; obtaining system permissions through command injection, remote command execution, uploading to obtain WebShell, SQL injection to obtain system permissions, buffer overflow (including exploitable ActiveX buffer overflow), remote kernel code execution vulnerabilities, and other remote code execution vulnerabilities caused by logic issues (based on the permissions actually obtained).)

  2. Severe information leakage. Including but not limited to SQL injection vulnerabilities in core databases; leakage of three or more sensitive information fields, and the affected amount reaching a certain scale (greater than or equal to 100,000 records); if not met, the score will be adjusted according to the actual situation.
    (Sensitive information fields refer to personal real name, ID number, address, contact information, bank card number, complete transaction information, etc.)

  3. Severe logical design flaws. Including but not limited to arbitrary account login for core domain products, arbitrary account password modification (non–brute-force vulnerabilities caused by other business logic issues), arbitrary account fund consumption, transaction and payment issues (for mainstream hardware products such as cameras/door locks/robot vacuums, and for value-added services such as cloud storage that can affect core product transaction pricing; relatively niche value-added services may be downgraded after evaluating actual business impact), and other severe logical vulnerabilities.

High-Risk Vulnerabilities

  1. Vulnerabilities that directly obtain general system permissions. Including but not limited to: command injection, remote command execution, uploading to obtain WebShell, SQL injection to obtain system permissions, buffer overflow (including exploitable ActiveX buffer overflow), remote kernel code execution vulnerabilities, and other remote code execution vulnerabilities caused by logic issues (based on the permissions actually obtained).

  2. Sensitive information leakage. Including but not limited to SQL injection vulnerabilities in non-core databases; leakage of three or more sensitive information fields, with affected quantity reaching a certain scale (greater than or equal to 10,000 records); if not met, the score will be adjusted according to the actual situation.
    (Sensitive information fields refer to personal real name, ID number, address, contact information, bank card number, complete transaction information, etc.)

  3. SSRF vulnerabilities that can directly access the Ezviz internal network with full response, and can access core business network segments; if not, severity may be lowered.

  4. Privilege escalation vulnerabilities. Including but not limited to unauthorized modification of important information, bypassing authentication to directly access admin backend, important business configuration changes, and other significant unauthorized operations (based on actual business scenarios).

Medium-Risk Vulnerabilities

  1. Vulnerabilities that can directly steal user identity information. Including stored XSS on critical pages, SQL injection on ordinary sites.

  2. Unauthorized access. Including but not limited to unauthorized bypass of restrictions to modify user information, perform user actions, backend weak passwords, etc. (based on actual business scenarios).

  3. Common information leakage. Including but not limited to leakage of internal source code packages, cloud platform key leakage, vulnerabilities that can be proven exploitable and can cause certain damage or leak a certain amount of personal sensitive information (scored based on actual situation).

  4. Exploitable communication protocol vulnerabilities and business logic vulnerabilities with certain impact.

Low-Risk Vulnerabilities

  1. Vulnerabilities that require interaction to obtain user identity information. Including but not limited to reflected XSS (including reflected DOM-XSS), CSRF for important sensitive operations, stored XSS in ordinary business.

  2. Common logical design flaws. Including but not limited to SMS verification bypass, email verification bypass, brute-forcing SMS codes, SMS bombing, etc.

  3. Minor information leakage vulnerabilities. Including but not limited to internal system source code leaked on GitHub, phpinfo, correct internal network account credentials, etc.

  4. Minor unauthorized access. Including but not limited to unauthorized operations on non-critical core functional interfaces (based on actual business scenarios).

No Impact

  1. Non-security-related bugs. Including but not limited to garbled webpages, product feature defects, layout issues.

  2. “Vulnerabilities” that cannot be exploited. Including but not limited to meaningless scanner-reported vulnerabilities (e.g., low-version web server), self-XSS, JSON hijacking without sensitive information, CSRF without sensitive operations, meaningless source code leakage, internal IP addresses/domain name leakage, logcat leakage without sensitive data.

  3. Vulnerabilities with extremely low risk or difficult to exploit. Including but not limited to PDF XSS, URL redirection, email bombing, SSRF that cannot reach internal networks, SSRF without response, username enumeration, concurrent requests modifying unimportant data in certain products (e.g., view count, number of signups, non-important like/score features), meaningless API key leakage, command execution vulnerabilities that only provide dnslog results.

  4. Other issues that cannot directly demonstrate a vulnerability. Including but not limited to purely user speculation.

  5. Vulnerabilities that cannot be reproduced. Including but not limited to issues confirmed as non-reproducible by YSRC specialists.

  6. Vulnerabilities already known through other channels that will be ignored, and the reporter will be notified through the submission system.

  7. Non–Ezviz business vulnerabilities, vulnerabilities not related to Ezviz product defects, and security issues not directly caused by Ezviz products.

  8. Vulnerabilities from test environments, pre-release environments, or private cloud demo environments (e.g., domain names starting with t, test, pb, etc.), unless there is evidence that the vulnerability also affects the production environment.

  9. Local denial-of-service vulnerabilities in mobile clients. Including but not limited to local DoS caused by component permissions.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the security or privacy of our users.

  • Avoid tests that could cause degradation or interruption of our service systems.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any system.
  • Do not copy any files from the system or disclose them.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Critical
$300$1,000$2,500$5,000
High
$20$110$560$1,400
Medium
$10$60$280$1,400

Scopes

ScopeTypeAsset value
Hardware found on https://www.ezviz.com/category/security-wifi-cameras
 Other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$5,000
Hardware found on https://www.ezviz.com/category/smart-home
 Other
Critical
Low
$300
Medium
$1,000
High
$2,500
Critical
$5,000
api.ezvizlife.com
 Web application
High
Low
$20
Medium
$110
High
$560
Critical
$1,400
open.ys7.com
 Web application
High
Low
$20
Medium
$110
High
$560
Critical
$1,400
www.ezviz.com
 Web application
High
Low
$20
Medium
$110
High
$560
Critical
$1,400
*.ezviz.com
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400
*.ys7.com
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400
*.ezvizlife.com
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400
*.eziot.com
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400
*.ezviz7.com
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400
*.hicloudcam.com,
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400
*.hikops.com,
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400
*.ezvizru.com
 Web application
Medium
Low
$10
Medium
$60
High
$280
Critical
$1,400

Out of scopes

  • Test environment(for example: test.ys7.com)
  • Pre-release environment(for example: pb.ys7.com)
  • Demo environment (for example: ezcpcloudiot.eziot.com)

Vulnerability types

Qualifying vulnerabilities

  • Unauthorized access to user cameras for live streaming/playback
  • Full database access or SQL injection exposing sensitive core database data
  • Command injection, remote command execution, web shell upload, or Remote Code Execution (RCE) (including kernel-level exploits like buffer overflows)
  • Large-scale data exposure (≥100,000 records or three sensitive fields) or sensitive data leaks (≥10,000 records)
  • Severe business logic flaws (e.g., account login, password reset, unauthorized financial transactions)
  • System permission vulnerabilities (e.g., command injection, RCE, SQLi)
  • SSRF enabling internal network access
  • Privilege escalation (e.g., authentication bypass, administrative backend access)
  • Theft of identity information via XSS or SQLi on critical pages
  • Unauthorized access to modify user data or perform operations
  • Ordinary data leaks (e.g., source code, cloud key exposure, or logs)
  • Exploitable communication protocols or business logic flaws
  • Reflected XSS, JSON hijackin
  • Minor logic flaws (e.g., bypassing SMS/email verification)
  • Minor data leaks (e.g., source code, sensitive logs, or phpinfo leaks)
  • Self-XSS or file parsing vulnerabilities with noticeable impact
  • Unauthorized access on non-critical functional interfaces

Non-qualifying vulnerabilities

  • Non-security-related bugs (e.g., webpage garbling, functional defects, styling issues)
  • Non-exploitable "vulnerabilities" (e.g., scanner reports with no practical significance, self-XSS, HTML Injection, JSON hijacking without sensitive data, CSRF without sensitive operations, meaningless source code leaks, internal IP/domain leaks, logcat leaks without sensitive data)
  • Low-risk or hard-to-exploit vulnerabilities (e.g., PDF XSS, URL redirection, email bombing, SSRF without internal network access, username enumeration, concurrent requests affecting insignificant data, meaningless API key leaks, command execution with only dnslog feedback)
  • Other issues not directly demonstrating a vulnerability, including user speculation
  • Non-reproducible vulnerabilities confirmed as irreproducible by our team
  • Non-business-related vulnerabilities not affecting core products or caused by non-core product issues
  • Vulnerabilities in test, pre-release, or private cloud demo environments unless proven to affect production environments
  • Local denial-of-service vulnerabilities in mobile clients caused by component permissions party secrets)

Hunting requirements

Account access

Ezviz devices

There are no credentials to be provided as this is a blackbox test.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.
program thumbnail
To submit a vulnerability report, you need to login with your hunter account.