avatar
Bug bounty
Public
Submit report

Ezviz - Bug Bounty Program

Established in 2013, EZVIZ dedicates itself to creating a safe, convenient and smart life for users through its intelligent devices, advanced AI technologies and cloud services.

Reward

Bounty
Hall of fame
$10
Low
$100
Medium
$500
High
$1,000
Critical
$3,000

Program

Avg reward
-
Max reward
-
Scopes
11
Supported languages
English

Hacktivity

Reports
153
1st response
> 10 days
Reports last 24h
-
Reports last week
5
Reports this month
7

About

EZVIZ

  • Established in 2013, EZVIZ dedicates itself to create a safe, convenient and smart life for worldwide users through our IoT Products, advanced technologies and cloud services.

Program Rules

Thank you for your interest in EZVIZ bug bounty program.

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our Products or Services.
  • If you believe you've found a security bug relating to us, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Reward Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of EZVIZ, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service systems (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of EZVIZ or one of its contractors.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the security or privacy of our users.

  • Avoid tests that could cause degradation or interruption of our service systems.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any system.
  • Do not copy any files from the system or disclose them.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Critical
$100$500$1,000$3,000
High
$15$100$600$1,400
Medium
$10$50$300$700

Scopes

ScopeTypeAsset value
Hardware found on https://www.ezviz.com/category/security-wifi-cameras other
Critical
Low
$100
Medium
$500
High
$1,000
Critical
$3,000
Hardware found on https://www.ezviz.com/category/smart-home other
Critical
Low
$100
Medium
$500
High
$1,000
Critical
$3,000
i.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
open.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
auth.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
api.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
api.ezvizlife.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
usauth.ezvizlife.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
ius.ezvizlife.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
*.ys7.com web-application
Medium
Low
$10
Medium
$50
High
$300
Critical
$700
.eziot.com web-application
Medium
Low
$10
Medium
$50
High
$300
Critical
$700

Out of scopes

  • scc-chat.ys7.com
  • Test environment (for example: test.ys7.com)
  • Pre-release environment (for example: pb.ys7.com)

Vulnerability types

Qualifying vulnerabilities

  • SQL Injection (SQLi)
  • Horizontal and vertical privilege escalation
  • Business logic vulnerabilities with real security implications
  • Authentication bypass & broken authentication
  • Code injection (HTML, JS, SQL, PHP, ...)
  • Remote Code Execution (RCE)
  • Local file access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Insecure Direct Object References (IDOR)
  • Overflow-type vulnerabilities that can cause the device to crash
  • Vulnerabilities that can lead to the disclosure of truly sensitive information on the device

Non-qualifying vulnerabilities

  • Lack of expiration on auth tokens
  • Vulnerabilities affecting outdated browsers - we only consider reports in the latest stable browser versions for Safari, Firefox, Chrome, Edge, IE
  • Known CVEs without working PoC
  • Denial of Service (DoS) attacks
  • Self XSS
  • "HTTP Host Header" XSS
  • Missing cookie flags
  • Mixed content warnings
  • Lack of HTTP security headers (CSP, X-XSS, etc.)
  • SSL/TLS best practices
  • No rate-limiting enforced
  • Clickjacking/UI redressing
  • Software version disclosure
  • Stack traces, path disclosure, directory listings, etc
  • Physical or social engineering attempts like phishing
  • Recently disclosed 0-day vulnerabilities
  • Presence of autocomplete attribute on web forms
  • Issues that require physical access to a victim's computer/device
  • Logout and other instances of low-severity CSRF
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Reports from automated web vulnerability scanners (Acunetix, Vega etc) that has not been validated
  • Incomplete or missing SPF/DKIM/DMARC on mail servers
  • Security best practices without real security impact
  • Attacks requiring MITM or physical access to a user's device (Exempted for Hardware Vulnerabilities)
  • Enumeration/account oracles: possibility to enumerate phone numbers, emails, GUID etc and receive indication that it exists
  • Issues caused by 3rd party libraries
  • Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)

Hunting requirements

Account access

Ezviz devices

There are no credentials to be provided as this is a blackbox test.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

Submit report
program thumbnail
 Ezviz - Bug Bounty Program
Submit report