Update date: September 5, 2023
This program includes the following products of ZTE:
| Product Type |
Model |
| 5G Common Core |
Cloud Application: ZXUN USPP, ZXUN uMAC, ZXUN xGW, ZXUN i5GC
Cloud Management: CloudStudio NFVO&VNFM
Cloud Platform: TECS CloudFoundation
|
| 5G NR |
ZXRAN V9200, Unified Management Expert (UME) |
| Fixed Network |
Optical Access: ZXA10 C600V1/V2, ZXA10 C610V3
Smart Home: ZXHN F613GV9, ZXHN F610GV9, ZXHN F657GV9, ZXHN F680 V9.0,
ZHHN F6600 V9.0, ZXHN E1630
|
| Home Media Center |
ZXV10 B866V2-H, ZXV10 B866V2F, ZXV10 B860AV3.2-M, ZXV10 S100V7 |
| Video |
Videoconferencing Infrastructure: ZXV10 M9530
Videoconferencing Terminal: ZXV10 XT501
Contact Center: ZXNGCC
|
| Cloud Computing |
Cloud PC: uSmartView
Cloud Terminal: W600D
|
| Digital Energy |
Datacenter: iDCIM
Telecommunication Energy: iEnergy
|
| JINZHUAN |
GoldenDB
|
| Terminal Product |
Smart Phone: nubia Z60 Ultra, REDMAGIC 9 Pro, REDMAGIC 9 Pro+
Mobile Internet: MC888, MU5120
|
1. Vulnerability Bounties and Rating
Standards
1.1 Vulnerability Bounties
Rewards are determined according to the impact (severity, influence, score,etc.) of the vulnerability
on the product and the clarity of the vulnerability report.
| Severity |
Critical |
High |
Medium |
Low |
| Bounty |
$1000~$10000 |
$500~$2500 |
$100~$500 |
$30~$100 |
1.2 Vulnerability Rating Standards
【Critical】
1) Vulnerabilities that can be used to directly obtain the permissions of the core systems (management
and control systems that can manage a large number of servers such as core control systems, domain
control systems, service distribution systems, bastion hosts, firewalls, etc.) or the core
servers, including but not limited to: upload web shell, arbitrary code execution, remote command
execution, parse-server vulnerabilities, file inclusion vulnerabilities, remote buffer overflow, Virtual
machine escape, or SQL injection to obtain system permissions;
2) Serious information leak vulnerabilities of core systems, including but not limited
to: SQL injection of core DB, important sensitive information leak of a large number of users
(Including at least three of the following sensitive fields: Name/ID card, bank card information,
phone number/ email, password, and address), internal core data breach of enterprises, or
configuration data and log data of core equipment;
3) Serious logical design error or process defect of core system, including but not
limited to: Modification in batches of arbitrary account password vulnerability, fund consumption
of arbitrary account and payment vulnerability for arbitrary amount modification, etc., that
cause great losses to users and companies;
4) Vulnerabilities that can remotely cause permanent and serious impact on the availability of core
systems and core servers, including but not limited to: the DoS vulnerabilities that directly
cause the breakdown of the core system services and core servers.
【High】
1) Vulnerabilities that can be used to directly obtain the permissions of important service
servers, including but not limited to: upload webshell, arbitrary code
execution, and arbitrary command execution, parse-server, file inclusion, remote buffer overflow, or SQL
injection;
2) Vulnerabilities that directly lead to important information leak, including but not limited to: SQL
injection vulnerability of important DB, file traversal, arbitrary file read, and leak of a
large number of source code or compressed packages of important services;
3) Vulnerabilities that affect users in a wide range, including but not limited
to: stored XSS that can cause automatic propagation of core services, stored XSS that can
obtain administrator authentication information and can successfully exploit, CSRF that can cause worms,
XSS vulnerabilities of important client products that can obtain sensitive information or
perform sensitive operations;
4) Serious broken access control, including but not limited to: weak passwords or bypassing
authentication to access important background management system, stealing users' important identity
information in batches, obtaining permissions of ordinary mobile clients in remote mode, and executing
arbitrary commands and code;
5) Serious logical design error or process defects, such as arbitrary password reset
vulnerability of important systems;
6) Vulnerabilities that can remotely cause permanent and serious impact on the availability of
important service systems and important servers, including but not limited to:
the DoS vulnerabilities that directly cause the breakdown of important system services
and servers.
【Medium】
1) Vulnerabilities that require interaction to obtain user identity information, including but not
limited to: CSRF for important sensitive operations and stored XSS for common services;
2) Serious information leak, including but not limited to: SQL injection that can obtain insensitive
data, SSRF vulnerability without echo reply, leak of source code or compression packages that contain
sensitive information (such as DB connection passwords), leak of sensitive authentication keys stored
locally ( effective use is required), etc.;
3) Common broken access control, including but not limited to: bypassing
restrictions on access to non-important background management system, incorrect direct object
references, bypassing restrictions on user data modification, performing user operations, reading user
information, and tampering of Non-Key Services;
4) Common logical design error, including but not limited to: vulnerabilities caused by the
successful blasting of system sensitive operations such as verification code logic errors that cause
arbitrary account login and arbitrary password retrieval, password reset or account login through
four-digit verification code blasting, and unlimited SMS sending, etc.;
5) Arbitrary file operation vulnerabilities, including but not limited to: arbitrary file
read/write/delete/download operations, arbitrary file upload, such as uploading html that causes
stored XSS.
【Low】
1) XSS vulnerabilities, including but not limited to: reflected XSS (including DOM
XSS and Flash XSS), Json Hijacking, etc.;
2) Broken access control with limited harm.
1.3 No Reward Scope
The following attacks are excluded from the scope of our bug bounty program:
1) Vulnerabilities other than those models listed in the bounty program shall not be rewarded;
2) Software functionality errors that have no security impact;
3) Slight information leak, including but not limited to: absolute path leak, phpinfo, svn/cvs
information leak, Web directory traversal, system path traversal, directory browsing, local log with
some sensitive information, etc.;
4) Vulnerabilities that have potential security risks but are difficult to exploit, including but not
limited to: sensitive security vulnerabilities that require continuous user interaction, SQL injection
points that are difficult to exploit, and local denial of service on the client;
5) Unexploitable vulnerabilities, including but not limited to a scanning report without proof of harm,
CSRF without sensitive operations, meaningless source code leak, and Intranet IP address/domain name
leak;
6) Some problems that cannot directly reflect the existence of vulnerabilities, including but not
limited to problems that are speculated subjectively by users;
7) Vulnerabilities that have already known or been disclosed online;
8) Vulnerabilities found by testing a mobile phone with the developer mode enabled;
9)Traversing mobile phone numbers to send messages, or traversing user names (mailbox) to determine
whether they have been registered, or have mailbox bombing, or escalate privilege without significance;
10) Email spoofing;
11) URL jump vulnerabilities;
12) Any forms of social engineering attacks;
13) Low-Impact Local DoS Attacks;
14) Temporary denial of service attacks cause the system to hang or restart the device (the
vulnerabilities that cause the service process to hang or exit abnormally can be assessed
exceptionally);
15) All brute force denial-of-service attacks;
16) Any attacks which cause the device permanently inoperable;
17) Scenarios with excessive user interactions or tricking users like phishing or clickjacking;
18) Reports based on information obtained through illegal access of ZTE's confidential information;
19) Full or partial path disclosure except when a real security impact can be demonstrated;
20) If there are multiple submitters for the same vulnerability, only the first submitted report will
get the reward and credits. And if the patch for a vulnerability is already under drafting, the report
will also be regarded as invalid;
21) No reward shall be given for open-source and third-party vulnerabilities that affect ZTE equipment
(the vulnerabilities that have a greater impact can be assessed exceptionally, and the reward
amount lower than the original vulnerabilities of the same level).
2. Report Requirements
In order to reproduce the vulnerability, your report must contain a detailed vulnerability description
and a complete POC or Exploit.
2.1 Report description requirements
1) Vulnerability description, which needs to include the vulnerability types, the causes, the
methods of exploitation, and the potential risks;
2) Affected product or service name, module name, detailed version information, and specific
vulnerability location;
3) Describe the detailed steps required for reproducing the vulnerability by using texts, screenshots,
graphics, etc. Describe the reproducing process step by step (recommend to submit a vulnerability
reproduction video).
2.2 POC or Exploit requirements
1) Provide a complete and compilable POC or Exploit. The POC or Exploit can be used to successfully
verify the reported vulnerability;
2) Compilation and running environment description, including: compiler name, compiler version,
compilation options, operating system version, and other necessary information;
3) The running result of POC or Exploit should be consistent with that described in your report;
A vulnerability report should include the detailed vulnerability description, proof of harm, and POC.
Reports that are too simple or have no proof of harm will be degraded or ignored.
3. Legal Information
The following rules should be followed for your participation in our bug bounty program and reporting
vulnerabilities to us:
1) You shall only exploit, investigate or attack vulnerabilities within your own accounts or devices;
2) Your testing activities must not negatively impact the availability or performance of ZTE's products
or services, break ZTE online service, attack ZTE's internal or external servers, nor cause damage of
data or physical assets;
3) Do not download sensitive service data during the test, including but not limited to source code or
users’ personal data, etc. The information must not be used, disclosed, stored, or recorded in any
form. If unknown download happens, an timely feedback and explanation shall be made and the file shall
be deleted;
4) Without ZTE's written approval, do not disclose any details about the security vulnerabilities of
ZTE's products or services to any third party;
5) Do not intentionally making and spreading malicious programs such as computer viruses;
6) Do not infringe any third party's rights (including intellectual property rights);
7) You are not an employee or outsourced employee or contractor of ZTE and its subsidiaries, or an
immediate family member of an employee or outsourced employee or contractor of ZTE.
If you use the security test as an excuse to exploit the vulnerability information to damage user
interests, affect normal service operations, or steal user data, which causes us losses or violates laws
and regulations, ZTE Corporation reserves the right to pursue legal responsibilities.
4. Reward Payment
1) The rewards amount ranges from CNY200 to CNY60,000 for qualified vulnerabilities. Each vulnerability
will be rewarded based on the severity, complexity of attack, impact scope, and report quality;
2) The reproduced vulnerabilities will be rewarded through ZTE Corporation bank account transfer. In
order to complete the bounty payment, we need to collect your nationality, city, real name, mobile phone
number, ID card number, family or company address, bank card number, name of the deposit bank, and bank
SWIFT code, etc. We promise you that the collection of these information will only be used for our
payment and will not be used for other purposes;
3) In order to comply with applicable tax-related legal requirements, we have withheld and
paid personal income tax when paying you bonus.
5. Dispute Resolution
In the process of handling vulnerabilities, if the reporter has objections to the handling process,
vulnerability assessment or vulnerability scoring, please send email to psirt@zte.com.cn,
our staffs will answer your questions as soon as possible.
6. Others
1) We will regularly update the list of products/services included in the reward scope;
2) Irrelevant security questions submitted will not be answered and processed, and the response
time during holidays will be delayed;
3) This bug bounty program shall come into force from the date of issuance. ZTE owns the full right to
determine the severity level, the reward amount and the payment process. ZTE also remains the rights to
suspend the bug bounty program at any time;
4) ZTE PSIRT has the final right to interpret all the above terms.
7. Revision Record
V1.0 2020.9.19 initial release
V1.1 2020.10.19 Updated the scope of products participating in the bug bounty program
V1.2 2020.10.30 Updated the amount of the reward
V1.3 2020.12.11 Updated the scope of products participating in the bug bounty program
V1.4 2021.1.15 Updated the scope of products participating in the bug bounty program
V1.5 2021.4.15 Updated the amount of the reward
V1.6 2021.4.26 Updated the scope of products participating in the bug bounty program
V1.7 2021.8.6 Updated the scope of products participating in the bug
bounty program
V1.8 2022.1.27 Updated the amount of the reward, the reward range,vulnerability rating
standards, no reward scope, legal information, etc.
V1.9 2022.6.13 Updated the scope of products participating in the bug
bounty program
V1.10 2023.2.23 Updated the scope of products participating in the bug
bounty program
V1.11 2023.4.11 Updated the reward range, no reward scope
V1.12 2023.9.5 Updated the reward range
.png){kind=icon}
.png){kind=icon}
.png){kind=icon}
.png){kind=icon}