TCL Vulnerability Reward Rules

V1.2

 

Effective Time: 2022-06-18 00:00 (UTC+8)——2023-12-31 00:00 (UTC+8)

 

I. TCL Safety Reward Basic Principles

 

1. TCL hopes to strengthen its own business security and maintain user information security by submitting vulnerabilities by security enthusiasts in the industry, and welcomes feedback on TCL products or business security issues.

2. TCL opposes and condemns hackers who use vulnerability testing as an excuse to damage or harm the interests of the users.

3. If you have any suggestions on this process, please send an email to security@tcl.com to give us feedback. Once the suggestions are adopted, TCL will give corresponding rewards.

4. The reward program complies with the terms and contents described in the Terms and Conditions of the TCL Vulnerability Reward Program.

5. Please refer to the Privacy Statement of the TCL Vulnerability Reward Program for information on how TCL handles your personal data related to this reward program.

6. We ask you not to disclose the security vulnerabilities you reported before they are repaired (this includes any third party except you), otherwise you will no longer be able to participate in any existing or future vulnerability reward programs of TCL. If you plan to discuss the vulnerabilities publicly after we repair them, including conference speeches, publishing technical sharing articles, etc., please contact security@tcl.com in advance.

7. If the TCL vulnerability you found is not within the scope of this reward program, we will not pay the reward, but we will still deal with it according to the TCL vulnerability handling process, and hope that you will continue to cooperate with us for collaborative vulnerability disclosure.

8. If you disagree with anything in this rule, please do not send us any vulnerability report or participate in this program in other ways. Submitting any vulnerability to TCL or participating in the program in any way means that you accept all the contents of the Rules, TCL Vulnerability Reward Program Agreement, TCL Vulnerability Reward Program Privacy Guide, vulnerability reward program rules for specific products and any other applicable terms.

 

II. Vulnerability Submitting and Handling Processes

 

2.1 Submission Process

TCL Vulnerability Reward Rules

V1.2

 

Effective Time: 2022-06-18 00:00 (UTC+8)——2023-12-31 00:00 (UTC+8)

 

I. TCL Safety Reward Basic Principles

 

1. TCL hopes to strengthen its own business security and maintain user information security by submitting vulnerabilities by security enthusiasts in the industry, and welcomes feedback on TCL products or business security issues.

2. TCL opposes and condemns hackers who use vulnerability testing as an excuse to damage or harm the interests of the users.

3. If you have any suggestions on this process, please send an email to security@tcl.com to give us feedback. Once the suggestions are adopted, TCL will give corresponding rewards.

4. The reward program complies with the terms and contents described in the Terms and Conditions of the TCL Vulnerability Reward Program.

5. Please refer to the Privacy Statement of the TCL Vulnerability Reward Program for information on how TCL handles your personal data related to this reward program.

6. We ask you not to disclose the security vulnerabilities you reported before they are repaired (this includes any third party except you), otherwise you will no longer be able to participate in any existing or future vulnerability reward programs of TCL. If you plan to discuss the vulnerabilities publicly after we repair them, including conference speeches, publishing technical sharing articles, etc., please contact security@tcl.com in advance.

7. If the TCL vulnerability you found is not within the scope of this reward program, we will not pay the reward, but we will still deal with it according to the TCL vulnerability handling process, and hope that you will continue to cooperate with us for collaborative vulnerability disclosure.

8. If you disagree with anything in this rule, please do not send us any vulnerability report or participate in this program in other ways. Submitting any vulnerability to TCL or participating in the program in any way means that you accept all the contents of the Rules, TCL Vulnerability Reward Program Agreement, TCL Vulnerability Reward Program Privacy Guide, vulnerability reward program rules for specific products and any other applicable terms.

 

II. Vulnerability Submitting and Handling Processes

 

2.1 Submission Process

2.2 Common Vulnerability Scoring Rules

 

(1) For the same vulnerability, only the first reporter will be given appropriate rewards based on the following criteria, and other reports will be regarded as not conforming to the rules and will not be rewarded.

(2) Before the vulnerability was repaired, it was disclosed privately without TCL''s consent, TCL will not distribute rewards; TCL will have the right to pursue its legal responsibilities if it damages the privacy of users or other sensitive data and causes losses.

(3) Some vulnerabilities are technically feasible, but there is no report of in-depth proof. TCL security engineers will conduct internal tests to confirm the potential harm of vulnerabilities.

(4) Multiple vulnerabilities generated by the same vulnerability source count as one vulnerability, for example, if the port is open and there are multiple port opening problems, it can only count as one vulnerability.

(5) The vulnerability report should include a detailed vulnerability description, recurring poc and vulnerability hazard certificate to speed up the processing speed of technicians. Vulnerability reports that are too simple and without any proof of harm will be ignored or reduced in pay.

(6) For vulnerabilities that do not belong to TCL's own business, such as those of partner companies, we will actively communicate them to partner companies, and the vulnerabilities of partner companies will not be included in the rewards. Meanwhile, open source vulnerabilities are not in the reward, which include third-party components, Google Android environment and Linux kernel.

(7) TCL's final audit results of vulnerabilities will be comprehensively judged based on the difficulty of exploiting vulnerabilities, the degree of hazard and the scope of influence.

 

III. Vulnerability Reward Composition

 

The reward consists of three parts: basic reward of vulnerability/intelligence, quality report bonus and special vulnerability/intelligence contribution reward, which will be continuously upgraded and improved according to the industry situation and the suggestions of vulnerability reporters.

 

3.1 Basic Reward of Vulnerability/Intelligence

 

See Chapter IV for basic reward

 

3.2 Bonus for Quality Reports

 

If the submitted report is detailed and complete, the reporter may receive the extra rewards of 10 to 1,00 US dollars. The report should include title+vulnerability description+vulnerability certificate+repair program. [Title]: Clarify the domain name and product name affected by the vulnerability and the type of vulnerability [Vulnerability Description]: Detailed vulnerability description, url, vulnerability parameters, etc. [Vulnerability Certificate]: vulnerability impact description and vulnerability utilization certificate [Repair Program]: Provide one or more executable repair suggestions for the reported vulnerabilities

 

3.3 Special Vulnerability/Intelligence Contribution Reward

 

For vulnerabilities/intelligence that has a great impact on TCL security, such as critically sensitive information disclosure, direct denial of service of TCL core business, remote access to core system authority, etc., TCL will give the extra rewards of 100$~10000$ after verification.

 

IV. Security Vulnerability Scoring Rules

 

4.1 Vulnerability Basic Scoring and Reward Rules

 

We have defined four levels for vulnerabilities based on the degree of hazard: critical, high, medium, and low. The vulnerabilities covered by each level and the scoring standards are shown in the following table.

This scoring rule is only for reference, and the final scoring and reward quota of vulnerabilities will be comprehensively rated according to the actual utilization difficulty of vulnerabilities, business characteristics, the scope of vulnerability influence, the detailed degree of reports, and the cooperation degree of reporting persons during retest. TCL has the final interpretation and decision-making power.

2.2 Common Vulnerability Scoring Rules

 

(1) For the same vulnerability, only the first reporter will be given appropriate rewards based on the following criteria, and other reports will be regarded as not conforming to the rules and will not be rewarded.

(2) Before the vulnerability was repaired, it was disclosed privately without TCL''s consent, TCL will not distribute rewards; TCL will have the right to pursue its legal responsibilities if it damages the privacy of users or other sensitive data and causes losses.

(3) Some vulnerabilities are technically feasible, but there is no report of in-depth proof. TCL security engineers will conduct internal tests to confirm the potential harm of vulnerabilities.

(4) Multiple vulnerabilities generated by the same vulnerability source count as one vulnerability, for example, if the port is open and there are multiple port opening problems, it can only count as one vulnerability.

(5) The vulnerability report should include a detailed vulnerability description, recurring poc and vulnerability hazard certificate to speed up the processing speed of technicians. Vulnerability reports that are too simple and without any proof of harm will be ignored or reduced in pay.

(6) For vulnerabilities that do not belong to TCL's own business, such as those of partner companies, we will actively communicate them to partner companies, and the vulnerabilities of partner companies will not be included in the rewards. Meanwhile, open source vulnerabilities are not in the reward, which include third-party components, Google Android environment and Linux kernel.

(7) TCL's final audit results of vulnerabilities will be comprehensively judged based on the difficulty of exploiting vulnerabilities, the degree of hazard and the scope of influence.

 

III. Vulnerability Reward Composition

 

The reward consists of three parts: basic reward of vulnerability/intelligence, quality report bonus and special vulnerability/intelligence contribution reward, which will be continuously upgraded and improved according to the industry situation and the suggestions of vulnerability reporters.

 

3.1 Basic Reward of Vulnerability/Intelligence

 

See Chapter IV for basic reward

 

3.2 Bonus for Quality Reports

 

If the submitted report is detailed and complete, the reporter may receive the extra rewards of 10 to 1,00 US dollars. The report should include title+vulnerability description+vulnerability certificate+repair program. [Title]: Clarify the domain name and product name affected by the vulnerability and the type of vulnerability [Vulnerability Description]: Detailed vulnerability description, url, vulnerability parameters, etc. [Vulnerability Certificate]: vulnerability impact description and vulnerability utilization certificate [Repair Program]: Provide one or more executable repair suggestions for the reported vulnerabilities

 

3.3 Special Vulnerability/Intelligence Contribution Reward

 

For vulnerabilities/intelligence that has a great impact on TCL security, such as critically sensitive information disclosure, direct denial of service of TCL core business, remote access to core system authority, etc., TCL will give the extra rewards of 100$~10000$ after verification.

 

IV. Security Vulnerability Scoring Rules

 

4.1 Vulnerability Basic Scoring and Reward Rules

 

We have defined four levels for vulnerabilities based on the degree of hazard: critical, high, medium, and low. The vulnerabilities covered by each level and the scoring standards are shown in the following table.

This scoring rule is only for reference, and the final scoring and reward quota of vulnerabilities will be comprehensively rated according to the actual utilization difficulty of vulnerabilities, business characteristics, the scope of vulnerability influence, the detailed degree of reports, and the cooperation degree of reporting persons during retest. TCL has the final interpretation and decision-making power.

Scoring rules for grading TCL reward business

         Smart terminal Smart IOT Web
Core business

32S6500

50P715

   
General business      
Edge business      

 

4.2 Details of Intelligent Terminal Service Scoring

Vulnerability level Vulnerability details Reward standards ($)
Critical

1. Critical logic can cause a vulnerability of great economic loss to users;

2. Remote access to system root and execute arbitrary code or command;

Core business: 1000-5000

General business: 500-1000

Edge business: 200-500

High

1. Vulnerabilities that can remotely obtain some sensitive information of a large number of users;

2. Vulnerabilities that cause great losses to users;

3. A vulnerability that can obtain root or system permissions;

4. Install a malicious app to get the vulnerability of the victim app permissions without interaction;

5. Bypass the safe startup mechanism.

Core business: 200-1000

General business: 100-300

Edge business: 60-100

Medium

1. The app needs to be installed to cause vulnerabilities such as system restart or partial function denial of service;

2. Vulnerabilities that cause general harm through hijacking;

3. Logical vulnerabilities in the interface can cause vulnerabilities such as cheating users and phishing;

4. Vulnerabilities that can obtain sensitive information of users are injected through app local sql.

Core business:100-200

General business: 60-100

Edge business: 10-20

Low

1. Unsafe configuration of App (problems that are difficult to use or have no great impact will be ignored);

2. Low risk information leakage;

3. Vulnerabilities that require more complex and harsh environments and conditions to trigger;

4. Hijacking vulnerability of app upgrade function;

5. Physical contact is required, which can only be caused by the cooperation of users in specific scenarios.

Core business: 20-50

General business: 10-20

Edge business: 0

 

Note: Not in the above description of vulnerabilities will be given corresponding rewards according to the mature vulnerability scoring standards in the industry.

Note: the top prize will be: 5000$ (critical vulnerability) +100$ (quality report) +10000$ (special contribution) = 15100$.

 

4.3 WEB Application Vulnerability Scoring Rules

Vulnerability level Vulnerability details Reward standards ($)
Critical

1. The vulnerability that can direct access to the core system authority and directly harm in the intranet;

2. The vulnerabilities that can obtain a large number of TCL users' core data;

3. The vulnerabilities related to payment and damage to user property;

4. The vulnerabilities that seriously endanger TCL account system.

Core business: 200

General business: 150-200

Edge business: 100-150

High

1. The vulnerabilities that can obtain sensitive information from users;

2. Logical vulnerabilities in individual activities and businesses, such as those involving rewards given by TCL to users.

3. Weak password or authentication information bypasses and enters the background, and there is an actual authority or sensitive information in the business;

4. Code leakage can actually operate online business, and this vulnerability can cause great harm.

Core business: 100

General business: 80-100

Edge business: 50-80

Medium

1. General information leakage of users;

2. The vulnerability requires interaction to affect users;

3. Broken access controls are a destructive vulnerability;

4. File inclusion, directory traversal, and vulnerabilities that can view some sensitive information;

5. Code leakage, vulnerability with sensitive information but unsuccessful exploitation.

Core business:50

General business: 30-50

Edge business: 10-30

Low

1. Vulnerabilities that can only obtain user information under certain circumstances;

2. Temporary file traversal;

3. Minor information disclosure vulnerability;

4. Machine log files with certain sensitive information;

5. Confirmed as a vulnerability, but there are more difficult vulnerabilities;

6. Denial of service attacks caused by application layer defects.

Core business: 20

General business: 10

Edge business: 0

 

Note: Not in the above description of vulnerabilities will be given corresponding rewards according to the mature vulnerability scoring standards in the industry.

Note: the top prize will be: 200$

 

4.4 Details of Smart IOT Product Scoring

Vulnerability level Vulnerability details Reward standards ($)
Critical

1. Critical logic can cause a vulnerability in the user's great economic loss;

2. There is no interactive remote command execution vulnerability in the Internet environment;

3. Control unauthorized devices and perform unexpected functions (such as tampering with cameras and monitoring videos) under the Internet environment.

Core business: 800-3000

General business: 300~1000

High

1. Non-interactive command execution in LAN;

2. Undesirable functions (e.g., tampering with cameras, monitoring videos, etc.) are performed to control unauthorized devices in the LAN;

3. Vulnerabilities that can obtain detailed and sensitive information of a large number of users.

Core business: 300~1000

General business: 100~400

Medium

1. Denial of service in Internet/LAN;

2. Temporary denial of service caused by interaction;

3. Broken access controls of non-important functions, logical vulnerability, etc.;

4. Vulnerabilities with higher hazards that need to be triggered in a harsh environment.

Core business: 50~100

General business: 20~50

Low

1. Unsafe configuration (problems that are difficult to use or have no great impact will be ignored);

2. Low risk information leakage;

3. Physical contact is required, and the harm only causes information leakage or security risk vulnerabilities;

4. Denial of service vulnerability after strong interaction.

Core business: 10~50

General business: 10~20

 

Note: Not in the above description of vulnerabilities will be given corresponding rewards according to the mature vulnerability scoring standards in the industry.

Note: the top prize will be: 3000$ (critical vulnerability) +100$ (quality report) +10000$ (special contribution) = 13100$

 

V. Reward Allocation Instructions

 

(1) Overseas vulnerability reporters can obtain rewards by providing PayPal accounts. If it is other ways, TCL must confirm whether it can be paid. In China, it can be issued by the bank card number.

(2) The vulnerabilities you submit will be confirmed within 3 business days after receiving the report and the evaluation process will begin. A preliminary response will be provided within 7 business days. TCL endeavors to address vulnerabilities in accordance with industry-standard practices after receiving the report, with Critical-risk vulnerabilities being fixed within 15 business days. High-risk and Medium-risk vulnerabilities will be fixed within 90 business days, while Low-risk vulnerabilities will be fixed within 180 business days. Note: Some vulnerabilities are subject to environmental or hardware limitations, and the final resolution time will be confirmed based on the actual situation. However, due to the complexity of each vulnerability, the analysis difficulty is different, and there will be a longer cycle. Hope you can understand. If you can provide detailed POC, it will speed up the processing speed of staff. 

(3) The reward is distributed in two stages: 50% of the basic bonus will be distributed at the beginning of the first month after the vulnerability is graded, and the remaining 50% of the basic bonus and bonus for this vulnerability will be distributed after the vulnerability is repaired. Since different business repair cycles are different, we will inform the repair cycle length and the reward distribution time by stages.

(4) If the payment account number and other information are not filled in, the reward will be affected, and we will inform you of the supplementary payment information through security@tcl.com. Note: In the process of vulnerability handling, if the reporter disagrees with the handling process, vulnerability assessment, vulnerability scoring, etc., please give feedback through email security@tcl.com.