Business Scope Eligible for Safety Incentives

Zepp Health's security reward scope includes domains such as *.huami.com, *.amazfit.com, *.zepp.com, *.zepphealth.com, and related products such as Zepp, Zepp Life, and the WeChat applet.

Vulnerability Handling Process

1. Confirmation and Assessment: The staff of the Security Response Center (SRC) will confirm the received vulnerability report and begin to assess the problem within one business day after the vulnerability is submitted.
2. Resolution and Communication: Within three working days after the vulnerability is submitted, the SRC staff will handle the vulnerability problem, draw a conclusion, and count it into the contribution value. (If necessary, it will communicate with the reporter to confirm; please provide assistance as a reporter.)
3. Fix and Update: The business department fixes the vulnerabilities reported in the report and arranges the update to go online. The repair time depends on the severity of the vulnerability and the difficulty of repair. Generally speaking:
Serious bugs will be fixed within 1 working day.
High-risk vulnerabilities will be fixed within 3 - 5 working days.
Moderate vulnerability fixes within 15 working days.
Low-risk vulnerabilities will be fixed or ignored within 30 working days.
 Client security issues are limited by version release, and the repair time is determined according to the actual situation.
4. Reviewer's Role: Vulnerability reporters can review whether the security issues are successfully repaired. If they find that the fixed vulnerabilities can still be exploited, they can contact the processing personnel, and the platform will add additional rewards.

Vulnerability Rating Rules

Critical Vulnerability
A vulnerability that directly obtains core system permissions. This includes, but is not limited to, remote arbitrary command execution, code execution, uploading webshell, SQL injection to obtain system permissions, etc.
Serious leakage of sensitive information. This includes, but is not limited to, SQL injection of core databases, access to identity information of a large number of core users, personal sensitive data, logical loopholes in business order information, etc.
Logic flaws that directly lead to serious impacts. This includes, but is not limited to, logic loopholes in payment modules, forged core application accounts, and loopholes in arbitrary account password changes, etc.

High Risk Vulnerability
A vulnerability that directly obtains general system permissions. This includes, but is not limited to, remote arbitrary command execution, code execution, uploading webshell, SQL injection to obtain system permissions, buffer overflow, etc.
Important unauthorized access operations, including but not limited to bypassing authentication to directly access management background operations containing sensitive information, unauthorized access to important services containing sensitive information, weak passwords in the background of important services with actual operation authority in the business, additions, deletions, modifications, and inspections of more important ultra vires such as arbitrary user information, SSRF that can directly obtain a large amount of sensitive information on the intranet (do not scan the intranet).
Business logic loopholes in important activities, loopholes that can directly obtain higher benefits or can bring a lot of economic losses to the company through loopholes.

Medium Risk Vulnerability
Vulnerability that requires interaction to obtain user identity information. This includes, but is not limited to, stored XSS, CSRF for important and sensitive operations of core business.
Ordinary unauthorized operation. This includes, but is not limited to, unauthorized operations that can query other small amounts of user data.
General information leakage. This includes, but is not limited to, Github involving internal systems, email password disclosure.
Local arbitrary code execution. This includes, but is not limited to, locally exploitable stack overflow, format string, local privilege escalation, file-associated DLL hijacking, and native code execution vulnerabilities caused by other logic issues.

Low Risk Vulnerability
Vulnerability of obtaining user identity information only in specific non-popular browser environments (such as browsers smaller than IE11, etc.). This includes, but is not limited to, stored XSS, reflected XSS, DOM-XSS, etc.
Minor information leakage vulnerability. This includes, but is not limited to, non-sensitive system source code and password leaked by Github, SVN file leak, phpinfo, logcat sensitive information leak.
Local denial-of-service vulnerabilities that affect the normal usage scenarios of PC clients and mobile clients. This includes, but is not limited to, local denial of service vulnerabilities caused by component permissions.
URL jump. This includes, but is not limited to, URL redirection vulnerabilities under subdomains defined within Zepp Health's business scope, which need to be proven to be redirected directly.
SSRF vulnerabilities that can directly access the intranet but have no echo.
It is difficult to use, but there may be potential safety hazards. This includes, but is not limited to, CSRF that may cause propagation and exploitation, and remote code execution vulnerabilities that require man-in-the-middle attacks, and provide a valid PoC.
Bombing of high-frequency and unlimited text messages for any designated user or mobile phone number.

Invalid Vulnerability (no immediate security issue/unable to directly exploit/unable to prove the existence of the vulnerability/exploitable vulnerability)
Unrelated security bugs. This includes, but is not limited to, garbled webpages, webpages that cannot be opened, and certain functions that cannot be used.
Unexploitable "loopholes". This includes, but is not limited to, meaningless scanner vulnerability reports, Self-XSS that can only bounce itself, etc.
Undocumented guesswork or unreproducible vulnerability.
Non-Zepp Health Business.
Other vulnerabilities are considered negligible.

SRC Rewards Program

Level

Bug Bounty Criteria (USD)

Remark

Critical Risk

150 - 300

Zepp Health product portfolio, based on vulnerability value assessment

High Risk

100 - 150

A single Zepp Health product

Medium Risk

20 - 100

A single Zepp Health product

Low Risk

Written Thanks

/

Invalid

None

/

Reward Distribution Mechanism
After reviewing the vulnerability submitted by the white hat, the vulnerability auditor will assign the corresponding reward to the vulnerability according to the rating standard. The reward will take effect after confirming with the white hat. After confirming the relevant rewards and personal information with the white hat, the vulnerability auditor will arrange for the distribution of corresponding rewards. The actual arrival time of the rewards is subject to the actual local situation. If there is any problem with the reward distribution, please contact us in time to confirm.

Security Testing Considerations

- The reward standard is only for threat intelligence that affects Zepp Health products and business.
The right to interpret the processing procedures and grading rules belongs to Zepp Health. We have the right to adjust the processing procedures and grading rules and re-announce them according to the situation.
White hats are not allowed to disclose vulnerability details on any public channels or self-media (such as Weibo, forums, communities, official accounts, Moments, Facebook, Twitter, Instagram, etc.).
Multiple vulnerabilities generated by the same vulnerability source are generally counted as one vulnerability, and the same vulnerability only counts contributions to the earliest submitter. Those submitted on other platforms are not counted as contributions. Those submitted to the outside world that have already been disclosed are not included. Known vulnerabilities do not double-calculate the contribution value.
The final contribution value of each level of vulnerability is determined by comprehensive factors such as the difficulty of exploiting the vulnerability and the scope of influence. If the vulnerability triggering conditions are very harsh, the vulnerability level can be reduced. It is strictly forbidden to use automated missed scans or auxiliary tools to initiate high-frequency scans. The test results should only be used to prove that the vulnerability exists and can be exploited.
It is strictly forbidden to use vulnerability for illegal operations, including but not limited to: dragging the library, intranet penetration, etc.
Do not use security testing as an excuse to use intelligence information to damage user interests, affect normal business operations, disclose before repair, steal user data, etc. Such actions will not count, and Zepp Health reserves the right to take further legal actions.


- If you have any questions, you can send feedback through Zepp Health emailsec@zepp.com.