avatar
Bug bounty
Public
Submit report

Ezviz - Bug Bounty Program

Established in 2013, EZVIZ dedicates itself to creating a safe, convenient and smart life for users through its intelligent devices, advanced AI technologies and cloud services.

Reward

Bounty
Hall of fame
$10
Low
$100
Medium
$500
High
$1,000
Critical
$3,000

Program

Avg reward
-
Max reward
-
Scopes
11
Supported languages
English

Hacktivity

Reports
205
1st response
> 10 days
Reports last 24h
-
Reports last week
1
Reports this month
4

About

EZVIZ

  • Established in 2013, EZVIZ dedicates itself to create a safe, convenient and smart life for worldwide users through our IoT Products, advanced technologies and cloud services.

Program Rules

Thank you for your interest in EZVIZ bug bounty program.

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our Products or Services.
  • If you believe you've found a security bug relating to us, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Vulnerability Classification

Critical Vulnerabilities

  1. Ability to access any user's camera for live video streaming or playback.
  2. Full access to the database of core applications.
  3. Direct vulnerabilities to obtain core system permissions, including but not limited to:
    • Command injection
    • Remote command execution
    • Web shell upload
    • SQL injection leading to system permissions
    • Buffer overflows (including exploitable ActiveX buffer overflows)
    • Remote kernel code execution vulnerabilities
    • Other remote code execution vulnerabilities caused by logic flaws (assessed based on the confirmed permissions obtained).
  4. Severe information leaks, including but not limited to:
    • SQL injection vulnerabilities in core databases
    • Exposing three or more sensitive information fields
    • Affecting a significant amount of data (≥100,000 records).
    • If not meeting these thresholds, scoring will be adjusted based on the actual scenario.
    • Sensitive fields: Personal names, ID numbers, addresses, contact information, bank account numbers, full transaction details, etc.
  5. Major logic design flaws, including but not limited to:
    • Arbitrary account login
    • Password reset
    • Unauthorized financial transactions
    • Payment processing issues.

High-Risk Vulnerabilities

  1. Vulnerabilities that directly provide general system permissions, including but not limited to:
    • Command injection
    • Remote command execution
    • Web shell upload
    • SQL injection leading to system permissions
    • Buffer overflows (including exploitable ActiveX buffer overflows)
    • Remote kernel code execution vulnerabilities
    • Other remote code execution vulnerabilities caused by logic flaws (assessed based on the confirmed permissions obtained).
  2. Sensitive information leaks, including but not limited to:
    • SQL injection vulnerabilities in non-core databases
    • Exposing three or more sensitive information fields
    • Affecting a significant amount of data (≥10,000 records).
    • If not meeting these thresholds, scoring will be adjusted based on the actual scenario.
    • Sensitive fields: Personal names, ID numbers, addresses, contact information, bank account numbers, full transaction details, etc.
  3. SSRF vulnerabilities that allow direct access to the internal network with complete response feedback.
  4. Privilege escalation, including but not limited to:
    • Unauthorized modifications of important information
    • Bypassing authentication to access administrative backends
    • Modifying critical business configurations (evaluated based on actual business scenarios).

Medium-Risk Vulnerabilities

  1. Vulnerabilities enabling the direct theft of user identity information, including:
    • Stored XSS vulnerabilities on critical pages
    • SQL injection vulnerabilities on standard websites.
  2. Unauthorized access, including but not limited to:
    • Bypassing restrictions on normal interfaces to modify user data
    • Performing user operations
    • Weak administrative passwords (evaluated based on actual business scenarios).
  3. Ordinary information leaks, including but not limited to:
    • Internal source code package leaks
    • Cloud platform key exposure
    • Vulnerabilities with proven exploitability and significant impact
    • Leaking a certain amount of personal sensitive information (scored based on actual scenarios).
  4. Exploitable communication protocol vulnerabilities or business logic flaws with some level of impact.

Low-Risk Vulnerabilities

  1. Vulnerabilities requiring user interaction to obtain identity information, including but not limited to:
    • Reflected XSS (including reflected DOM-XSS)
    • JSON hijacking
    • CSRF in sensitive operations
    • Stored XSS in standard business processes.
  2. Minor logical design flaws, including but not limited to:
    • Bypassing SMS verification codes
    • Email verification bypass
    • Brute-forcing SMS codes
    • SMS bombing.
  3. Minor information leakage vulnerabilities, including but not limited to:
    • Internal system source code leaks on GitHub
    • phpinfo leaks
    • Logcat-sensitive information leaks
    • Correct internal account credentials.
  4. Hard-to-exploit issues that may pose potential security risks, including but not limited to:
    • Self-XSS
    • CSRF for non-critical operations
    • File parsing vulnerabilities.
  5. Minor unauthorized access vulnerabilities, including but not limited to:
    • Unauthorized operations on non-core functional interfaces (evaluated based on actual business scenarios).

No Impact

  1. Non-security-related bugs, such as:
    • Webpage garbling
    • Functional defects
    • Styling issues.
  2. Non-exploitable "vulnerabilities," including but not limited to:
    • Scanner reports with no practical significance (e.g., low-version web servers)
    • Self-XSS
    • HTML Injection
    • JSON hijacking without sensitive data
    • CSRF without sensitive operations
    • Meaningless source code leaks
    • Internal IP/domain leaks
    • Logcat information leaks without sensitive data.
  3. Low-risk or hard-to-exploit vulnerabilities, such as:
    • PDF XSS
    • URL redirection
    • Email bombing
    • SSRF that cannot access internal networks
    • Username enumeration
    • Concurrent requests affecting insignificant data (e.g., page views, sign-up numbers, unimportant likes/ratings)
    • Meaningless API key leaks
    • Command execution vulnerabilities providing only dnslog feedback.
  4. Other issues not directly demonstrating a vulnerability, including user speculation.
  5. Non-reproducible vulnerabilities confirmed by YSRC personnel as irreproducible.
  6. Previously known vulnerabilities that will be ignored, with the submitter informed via the submission platform.
  7. Non-business-related vulnerabilities not affecting core products or caused by non-core product security issues.
  8. Vulnerabilities in test, pre-release, or private cloud demo environments (e.g., domains starting with t, test, pb, etc.) unless proven to affect production environments.
  9. Local denial-of-service vulnerabilities in mobile clients, including those caused by component permissions.

Reward Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of EZVIZ, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service systems (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of EZVIZ or one of its contractors.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the security or privacy of our users.

  • Avoid tests that could cause degradation or interruption of our service systems.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any system.
  • Do not copy any files from the system or disclose them.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Critical
$100$500$1,000$3,000
High
$15$100$600$1,400
Medium
$10$50$300$700

Scopes

ScopeTypeAsset value
Hardware found on https://www.ezviz.com/category/security-wifi-cameras other
Critical
Low
$100
Medium
$500
High
$1,000
Critical
$3,000
Hardware found on https://www.ezviz.com/category/smart-home other
Critical
Low
$100
Medium
$500
High
$1,000
Critical
$3,000
i.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
open.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
auth.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
api.ys7.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
api.ezvizlife.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
usauth.ezvizlife.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
ius.ezvizlife.com web-application
High
Low
$15
Medium
$100
High
$600
Critical
$1,400
*.ys7.com web-application
Medium
Low
$10
Medium
$50
High
$300
Critical
$700
.eziot.com web-application
Medium
Low
$10
Medium
$50
High
$300
Critical
$700

Out of scopes

  • scc-chat.ys7.com
  • Test environment (for example: test.ys7.com)
  • Pre-release environment (for example: pb.ys7.com)

Vulnerability types

Qualifying vulnerabilities

  • Unauthorized access to user cameras for live streaming/playback
  • Full database access or SQL injection exposing sensitive core database data
  • Command injection, remote command execution, web shell upload, or Remote Code Execution (RCE) (including kernel-level exploits like buffer overflows)
  • Large-scale data exposure (≥100,000 records or three sensitive fields) or sensitive data leaks (≥10,000 records)
  • Severe business logic flaws (e.g., account login, password reset, unauthorized financial transactions)
  • System permission vulnerabilities (e.g., command injection, RCE, SQLi)
  • SSRF enabling internal network access
  • Privilege escalation (e.g., authentication bypass, administrative backend access)
  • Theft of identity information via XSS or SQLi on critical pages
  • Unauthorized access to modify user data or perform operations
  • Ordinary data leaks (e.g., source code, cloud key exposure, or logs)
  • Exploitable communication protocols or business logic flaws
  • Reflected XSS, JSON hijacking, or CSRF in sensitive operations
  • Minor logic flaws (e.g., bypassing SMS/email verification)
  • Minor data leaks (e.g., source code, sensitive logs, or phpinfo leaks)
  • Self-XSS or file parsing vulnerabilities with noticeable impact
  • Unauthorized access on non-critical functional interfaces

Non-qualifying vulnerabilities

  • Non-security-related bugs (e.g., webpage garbling, functional defects, styling issues)
  • Non-exploitable "vulnerabilities" (e.g., scanner reports with no practical significance, self-XSS, HTML Injection, JSON hijacking without sensitive data, CSRF without sensitive operations, meaningless source code leaks, internal IP/domain leaks, logcat leaks without sensitive data)
  • Low-risk or hard-to-exploit vulnerabilities (e.g., PDF XSS, URL redirection, email bombing, SSRF without internal network access, username enumeration, concurrent requests affecting insignificant data, meaningless API key leaks, command execution with only dnslog feedback)
  • Other issues not directly demonstrating a vulnerability, including user speculation
  • Non-reproducible vulnerabilities confirmed as irreproducible by our team
  • Non-business-related vulnerabilities not affecting core products or caused by non-core product issues
  • Vulnerabilities in test, pre-release, or private cloud demo environments unless proven to affect production environments
  • Local denial-of-service vulnerabilities in mobile clients caused by component permissions party secrets)

Hunting requirements

Account access

Ezviz devices

There are no credentials to be provided as this is a blackbox test.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

Submit report
program thumbnail
 Ezviz - Bug Bounty Program
Submit report