TCL Vulnerability Reward Rules Terms of the TCL Vulnerability Bounty Program Privacy Guidelines for TCL Vulnerability Bounty Program

 

TCL Vulnerability Reward Rules

V1.1

Effective Time: 2021-02-28 00:00 (UTC+8)——2021-06-28 00:00 (UTC+8)

Version No.

Revision contents

Release date

V1.0

Release the first edition

2020-12-28

V1.1

For TV

2021-02-23

Scope of Application

The device reward range includes the following models. The model requires upgrading to the latest software

Intelligent Terminal Service List

Core business

TV:50P715K

Contents

I TCL Safety Reward Basic Principles. 3

II. Vulnerability Submitting and Handling Processes 4

2.1 Submission Process 4

2.2 Common Vulnerability Scoring Rules 4

III Vulnerability Reward Composition. 4

3.1 Basic Reward of Vulnerability/Intelligence 5

3.2 Bonus for Quality Reports 5

3.3 Special Vulnerability/Intelligence Contribution Reward 5

IV. Security Vulnerability Scoring Rules 5

4.1 Vulnerability Basic Scoring and Reward Rules 5

4.2 Details of Intelligent Terminal Service Scoring 6

4.3 WEB Application Vulnerability Scoring Rules 7

4.4 Details of Smart IOT Product Scoring 8

V. Reward Allocation Instructions 10

 


I. TCL Safety Reward Basic Principles

1. TCL hopes to strengthen its own business security and maintain user information security by submitting vulnerabilities by security enthusiasts in the industry, and welcomes feedback on TCL products or business security issues.

2. TCL opposes and condemns hackers who use vulnerability testing as an excuse to damage or harm the interests of the users.

3. If you have any suggestions on this process, please send an email to security@tcl.com to give us feedback. Once the suggestions are adopted, TCL will give corresponding rewards.

4. The reward program complies with the terms and contents described in the Terms of the TCL Vulnerability Bounty Program 
5. Please refer to the Privacy Guidelines for TCL Vulnerability Bounty Program for information on how TCL handles your personal data related to this reward program.
6. We ask you not to disclose the security vulnerabilities you reported before they are repaired (this includes any third party except you), otherwise you will no longer be able to participate in any existing or future vulnerability reward programs of TCL. If you plan to discuss the vulnerabilities publicly after we repair them, including conference speeches, publishing technical sharing articles, etc., please contact security@tcl.com in advance.
7. If the TCL vulnerability you found is not within the scope of this reward program, we will not pay the reward, but we will still deal with it according to the TCL vulnerability handling process, and hope that you will continue to cooperate with us for collaborative vulnerability disclosure.

8. If you disagree with anything in this rule, please do not send us any vulnerability report or participate in this program in other ways. Submitting any vulnerability to TCL or participating in the program in any way means that you accept all the contents of the Rules, Terms of the TCL Vulnerability Bounty ProgramPrivacy Guidelines for TCL Vulnerability Bounty Program, vulnerability reward program rules for specific products and any other applicable terms.

 

II.  Vulnerability Submitting and Handling Processes

2.1  Submission Process

 

2.2  Common Vulnerability Scoring Rules

(1) For the same vulnerability, only the first reporter will be given appropriate rewards based on the following criteria, and other reports will be regarded as not conforming to the rules and will not be rewarded.  

(2) Before the vulnerability was repaired, it was disclosed privately without TCL''s consent, TCL will not distribute rewards; TCL will have the right to pursue its legal responsibilities if it damages the privacy of users or other sensitive data and causes losses.

(3) Some vulnerabilities are technically feasible, but there is no report of in-depth proof. TCL security engineers will conduct internal tests to confirm the potential harm of vulnerabilities.

(4) Multiple vulnerabilities generated by the same vulnerability source count as one vulnerability, for example, if the port is open and there are multiple port opening problems, it can only count as one vulnerability. 

(5) The vulnerability report should include a detailed vulnerability description, recurring poc and vulnerability hazard certificate to speed up the processing speed of technicians. Vulnerability reports that are too simple and without any proof of harm will be ignored or reduced in pay.

(6) For vulnerabilities that do not belong to TCL's own business, such as those of partner companies, we will actively communicate them to partner companies, and the vulnerabilities of partner companies will not be included in the rewards. Meanwhile, open source vulnerabilities are not in the reward, which include third-party components, Google Android environment and Linux kernel.

(7) TCL's final audit results of vulnerabilities will be comprehensively judged based on the difficulty of exploiting vulnerabilities, the degree of hazard and the scope of influence.  

 

III.  Vulnerability Reward Composition

The reward consists of three parts: basic reward of vulnerability/intelligence, quality report bonus and special vulnerability/intelligence contribution reward, which will be continuously upgraded and improved according to the industry situation and the suggestions of vulnerability reporters.

3.1  Basic Reward of Vulnerability/Intelligence

See Chapter IV for basic reward

3.2  Bonus for Quality Reports

If the submitted report is detailed and complete, the reporter may receive the extra rewards of 10 to 100 US dollars. The report should include title+vulnerability description+vulnerability certificate+repair program

[Title]: Clarify the domain name and product name affected by the vulnerability and the type of vulnerability

[Vulnerability Description]: Detailed vulnerability description, url, vulnerability parameters, etc.

[Vulnerability Certificate]: vulnerability impact description and vulnerability utilization certificate

[Repair Program]: Provide one or more executable repair suggestions for the reported vulnerabilities

3.3  Special Vulnerability/Intelligence Contribution Reward

For vulnerabilities/intelligence that has a great impact on TCL security, such as critically sensitive information disclosure, direct denial of service of TCL core business, remote access to core system authority, etc., TCL will give the extra rewards of 100 USD~10000 USD after verification.

 

IV.  Security Vulnerability Scoring Rules

4.1  Vulnerability Basic Scoring and Reward Rules

We have defined four levels for vulnerabilities based on the degree of hazard: critical, high, medium, and low. The vulnerabilities covered by each level and the scoring standards are shown in the following table.

This scoring rule is only for reference, and the final scoring and reward quota of vulnerabilities will be comprehensively rated according to the actual utilization difficulty of vulnerabilities, business characteristics, the scope of vulnerability influence, the detailed degree of reports, and the cooperation degree of reporting persons during retest. TCL has the final interpretation and decision-making power.

Scoring rules for grading TCL reward business

 

4.2  Details of Intelligent Terminal Service Scoring

Vulnerability level

Vulnerability details

Reward standards (USD)

Critical

1. Critical logic can cause a vulnerability of great economic loss to users;

2. Remote access to system root and execute arbitrary code or command;

 

Core business: 1000-5000

High

1. Vulnerabilities that can remotely obtain some sensitive information of a large number of users

2. Vulnerabilities that cause great losses to users

3. A vulnerability that can obtain root or system permissions;

4. Install a malicious app to get the vulnerability of the victim app permissions without interaction

5. Bypass the safe startup mechanism

Core business: 200-1000

Medium

1. The app needs to be installed to cause vulnerabilities such as system restart or partial function denial of service

2. Vulnerabilities that cause general harm through hijacking

3. Logical vulnerabilities in the interface can cause vulnerabilities such as cheating users and phishing

4. Vulnerabilities that can obtain sensitive information of users are injected through app local sql

Core business:100-200

 

Low

1. Unsafe configuration of App (problems that are difficult to use or have no great impact will be ignored)

2. Low risk information leakage

3. Vulnerabilities that require more complex and harsh environments and conditions to trigger 

4. Hijacking vulnerability of app upgrade function

5. Physical contact is required, which can only be caused by the cooperation of users in specific scenarios

Core business: 20-50

 

Note: Not in the above description of vulnerabilities will be given corresponding rewards according to the mature vulnerability scoring standards in the industry

Note: the top prize will be: 5000USD (critical vulnerability) +100USD (quality report) +10000 USD (special contribution) = 15100 USD.

4.3  WEB Application Vulnerability Scoring Rules

 

Vulnerability level

Vulnerability details

Reward standards (USD)

Critical

1. The vulnerability that can direct access to the core system authority and directly harm in the intranet

2. The vulnerabilities that can obtain a large number of TCL users' core data

3. The vulnerabilities related to payment and damage to user property

4. The vulnerabilities that seriously endanger TCL account system

200

High

1. The vulnerabilities that can obtain sensitive information from users

2. Logical vulnerabilities in individual activities and businesses, such as those involving rewards given by TCL to users.

3. Weak password or authentication information bypasses and enters the background, and there is an actual authority or sensitive information in the business

4. Code leakage can actually operate online business, and this vulnerability can cause great harm

100

Medium

1. General information leakage of users

2. The vulnerability requires interaction to affect users

3. Broken access controls are a destructive vulnerability.

4. File inclusion, directory traversal, and vulnerabilities that can view some sensitive information

5. Code leakage, vulnerability with sensitive information but unsuccessful exploitation

 

30

Low

1. Vulnerabilities that can only obtain user information under certain circumstances

2. Temporary file traversal

3. Minor information disclosure vulnerability

4. Machine log files with certain sensitive information

5. Confirmed as a vulnerability, but there are more difficult vulnerabilities

6. Denial of service attacks caused by application layer defects

10

Note: Not in the above description of vulnerabilities will be given corresponding rewards according to the mature vulnerability scoring standards in the industry

Note: the top prize will be: 200USD

4.4  Details of Smart IOT Product Scoring

Vulnerability level

Vulnerability details

Reward standards (USD)

Critical

1. Critical logic can cause a vulnerability in the user's great economic loss

2. There is no interactive remote command execution vulnerability in the Internet environment;

3. Control unauthorized devices and perform unexpected functions (such as tampering with cameras and monitoring videos) under the Internet environment

Core business: 800-3000

High

1. Non-interactive command execution in LAN

2. Undesirable functions (e.g., tampering with cameras, monitoring videos, etc.) are performed to control unauthorized devices in the LAN

3. Vulnerabilities that can obtain detailed and sensitive information of a large number of users

Core business: 300-1000

Medium

1. Denial of service in Internet/LAN

2. Temporary denial of service caused by interaction

3. Broken access controls of non-important functions, logical vulnerability, etc.

4. Vulnerabilities with higher hazards that need to be triggered in a harsh environment

Core business: 50-100

Low

1. Unsafe configuration (problems that are difficult to use or have no great impact will be ignored)

2. Low risk information leakage

3. Physical contact is required, and the harm only causes information leakage or security risk vulnerabilities

4. Denial of service vulnerability after strong interaction

Core business:10-50

Note: Not in the above description of vulnerabilities will be given corresponding rewards according to the mature vulnerability scoring standards in the industry

Note: the top prize will be: 3000USD(critical vulnerability) +100USD(quality report) +10000 USD (special contribution) = 13100 USD

 

V.  Reward Allocation Instructions

(1) Overseas vulnerability reporters can obtain rewards by providing PayPal accounts. If it is other ways, TCL must confirm whether it can be paid. In China, it can be issued by the bank card number. 

(2) Every vulnerability you submit will be tracked and handled by a special person at the first time. At present, our standard processing time is 1~6 weeks, and the vulnerability processing process will be notified to you through security@tcl.com. Please pay attention to email messages. However, due to the complexity of each vulnerability, the analysis difficulty is different, and there will be a longer cycle. Hope you can understand. If you can provide detailed POC, it will speed up the processing speed of staff.

(3) The reward is distributed in two stages: 50% of the basic bonus will be distributed at the beginning of the first month after the vulnerability is graded, and the remaining 50% of the basic bonus and bonus for this vulnerability will be distributed after the vulnerability is repaired. Since different business repair cycles are different, we will inform the repair cycle length and the reward distribution time by stages.

(4) If the payment account number and other information are not filled in, the reward will be affected, and we will inform you of the supplementary payment information through security@tcl.com.  

Note: In the process of vulnerability handling, if the reporter disagrees with the handling process, vulnerability assessment, vulnerability scoring, etc., please give feedback through email security@tcl.com.

 

TCL Vulnerability Bounty Program (the “Program”) is a program created by Shenzhen TCL New Technology Co., Ltd. and its affiliated companies (“TCL”, “we” or “our”) to enhance our own business and product security and maintain user information security and privacy through receipt of vulnerabilities identified by security enthusiasts of the industry. Please click here to view the TCL Vulnerability Bounty Program and its associated rules.

 

The terms of the Program (the “Terms”) bind the reporter of a vulnerability or other participant in the Program (“Participant” or “you” or “your”). Participants submit vulnerabilities for a chance to earn rewards in an amount determined by TCL in its sole discretion (“Bounty”). By voluntarily submitting any vulnerability to TCL or participating in the Program in any manner, you are accepting these Terms as well as the TCL Vulnerability Bounty Rules, the Privacy Guidelines for TCL Vulnerability Bounty Program, and the specific vulnerability Bounty program rules in their entirety. These Terms and the referenced Program and its associated rules are an integral part of the Program. If you do not agree with these Terms or the referenced Program and its associated rules, please do not send us any vulnerability reports or participate in the Program in any other manner.

 

TCL reserves the right to change or cancel the Program at any time for any reason.

 

If you wish to withdraw from the Program, please contact us via [security@tcl.com]. Withdrawal from the Program will disqualify you from receiving the Bounty, and will not affect any license granted to TCL in any vulnerability report you have provided.

 

By submitting any vulnerability or otherwise participating in the Program, you agree to comply with all applicable legal provisions and you will be solely responsible for any legal consequences arising from any breach thereof. If you do not agree to these Terms, please do not submit any vulnerability or otherwise participate in this Program.

 

1. Eligibility to Participate in the Program

 

You are considered eligible to participate in the Program only if you meet all of the following conditions:

· You have full capacity for civil rights and full capacity for civil conduct;

· You are 14 years of age or older. If you are 14 years of age but are considered a minor in the location you reside, you must provide us with the written consent of your parent or legal guardian (as applicable) before participating in the Program;

· You are participating as an individual researcher, or working for an employer that allows you to participate in the Program. It is your responsibility to check your employer's rules regarding participation in the Program; and

· You will be solely responsible for all applicable taxes related to accepting the Bounty.

 

You are ineligible to participate in the Program if you meet any of the following conditions:

· You do not have full capacity for civil rights and full capacity for civil conduct;

· You are under 14 years of age, or if you are 14 or older but considered a minor in the location in which you reside, you have not provided us with written consent of your parent or legal guardian (as applicable) prior to participating in the Program;

· Your employer does not allow you to participate in such programs;

· You are currently an employee of TCL, or a lineal relative (parent, sibling, spouse or child) or family member of such an employee;

· Within the six months prior to providing us with your vulnerability report you were an employee of TCL;

· You are currently (or within six months prior to providing us with your vulnerability report) performing services for TCL as an external employee requiring access to the TCL corporate network, such as an agent temporary employee, supplier employee, business guest or contract worker;

· You are or have been involved in any part of the development, administration and/or implementation of the Program;

· You are a resident or restricted individual of any country/region subject to US sanctions, embargoes or export control, including the U.S. Department of Treasury’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List, Entity List, or any other restricted party lists or embargoes maintained by the U.S. government, as such lists or embargoes may be amended from time to time;

· You are a resident of any country that prohibits participation in this or a similar program; or;

· You do not comply with these Terms.

 

Your participation in the Program or receipt of any Bounty may be subject to additional restrictions under the local law in the jurisdiction in which you reside. It is your responsibility to comply with any local laws that may apply to your participation in the Program and/or receipt of any Bounty.

 

This Program is not intended to create any actual or perceived violation of public sector gifts and/or ethics rules and policies. If you are employed by a public sector entity, including but not limited to a government or educational institution, your participation in the Program must comply with your employer’s gifts and/or ethics policy. Any Bounty arising out of submission of vulnerability or other participation in the Program by a public sector employee must be awarded directly to the public sector employer, and receipt of any such Bounty is subject to receipt by us of a letter signed by your employer’s designated officer or counsel responsible for compliance with gift and ethics policies as applicable.

 

If you breach or otherwise not in compliance with any of the above terms, you may be disqualified from participating in the Program or receiving any Bounty, and you will be responsible for all consequences thereof. We are not responsible and disclaim any and all liability for any: (i) violations of local law in which you reside by your participation in this Program; or (ii) disputes between you and your employer which may arise as a result of your participation in the Program or receipt of any Bounty.

 

2. Vulnerability Submission

 

If you believe you have identified a vulnerability that meets the applicable requirements of the Program, you may submit it to us in accordance with the following process:

 

Each vulnerability submitted to TCL shall be a “vulnerability report”. The vulnerability report must be sent to [security@tcl.com]. The initial email shall contain [name of the applicable vulnerability Bounty program for the vulnerability you are submitting] and [basic information required for a qualified vulnerability report including the specific product and version numbers used to validate the report] with a title of [email title]. Please refer to the relevant rules for detailed requirements for basic information that must be contained in the vulnerability report.

 

Depending on the details of your vulnerability report, TCL may offer different levels of Bounty. Vulnerability reports that do not contain the minimum required information to validate the vulnerability are not eligible for a Bounty. Please refer to the respective programs and their rules for specific assessment criteria.

 

There is no limit to the number of qualified vulnerability reports you can submit.

 

If the vulnerability report is submitted in connection with a product that is not covered by the Program at the time you submit it, we will not offer a Bounty for that vulnerability. Only vulnerability reports submitted in connection with products covered by the Program at the time of submission are eligible for a Bounty even if such product is added to the Program at a later date.

 

3.  Your Representations, Warranties and Undertakings

 

You are responsible for the legality of the method, manner, tools and means used to research the vulnerability you submit to TCL and we bear no legal responsibility for any action undertaken by you to research any vulnerability or submit any vulnerability report.

 

You represent and warrant that the software you are using is genuine and legal and does not infringe any third party’s intellectual property rights of any kind. You must also not be involved in the manufacture, use, distribution or transfer of counterfeit, pirated or illegal software. 

 

You represent and warrant that: (i) you have discovered the existence of the vulnerability information through legal and proper means; and (ii) you own all intellectual property and any other applicable rights to the vulnerability information you submit.

 

You represent and warrant that you will not use technical or other means to harm or disrupt the regular performance of TCL’s relevant business or systems.

 

You represent and warrant that during your participation in the Program you will not use your participation in the Program to store, publish, or disseminate information or content that violates the laws applicable to the Program, or that infringes the legal rights of any third party.

 

If you breach these terms and conditions, we reserve the right to disqualify you from participating in the Program or receiving any Bounty and this will not be considered a breach of contract by us.  By breaching these terms and conditions, you will be solely liable for any damage caused to us thereby.  

 

4. Code of Conduct

 

You must not use the vulnerability and vulnerability-related information and/or TCL’s information for any illegal purpose. By participating in the Program, you are prohibited from:

 

· Engaging in any illegal activity;

· Engaging in any activity that utilizes, endangers, is likely to endanger, or threatens children;

· Sending spam messages where  “spam” is defined as unwanted or unsolicited bulk emails, posts, contact requests, SMS (Short Message Service or text message) or instant messages;

· Sharing inappropriate content or material (involving elements such as nudity, bestiality, pornography, graphic violence or criminal activity);

· Engaging in false or misleading activities;

· Engaging in activities that are harmful to you, the Program or other persons (for example, knowingly or negligently creating or distributing destructive programs such as computer viruses, stalking, posting terrorist content or hate speech, or advocating violence against others);

· Violating the rights of others (for example, by sharing copyrighted material or other protected intellectual property without authorization) or engaging in activities that violate the privacy of others;

· Actions prohibited in the Program and its rules, including but not limited to these Terms;

· Accessing the computer information network or using computer information network resources without permission, or deleting, modifying or adding to the functions of the computer information network, or deleting, modifying or adding to the data and applications stored, processed or transmitted in the computer information network, or acquiring the data stored in the relevant website system as well as the platform in the computer information network;

· Other actions that endanger the computer information network; and

· Assisting others in breaking the rules above.

 

If you violate any of these Terms, you may be barred from participating in the Program and we reserve the right not to offer a Bounty for any vulnerability reports you submit. If we incur any damages as a result of your violation of this Section 4, we reserve the right to seek compensation from you and to exercise any other remedies available to us at law or equity.    

 

5. License

 

As a prerequisite to participating in the Program, submitting any vulnerability report to TCL means that you:

 

· Grant TCL and its customers the following non-exclusive, irrevocable, perpetual, royalty-free, worldwide, transferable, sub-licensable intellectual property rights in respect of the vulnerabilities you have identified: (i) to use, review, evaluate, test or analyze your vulnerability reports; (ii) to reproduce, modify, distribute, display, publicly demonstrate and commercialize your vulnerability reports and to create derivative works of your vulnerability reports or all or part thereof; and (iii) to display your vulnerability report or all of its content in connection with the marketing, sale or promotion of the Program or other programs (including screen shots of vulnerability reports for internal and external sales meetings, conference demonstrations, trade shows and press releases) in all media (now known or later developed);

· Agree that TCL and its customers may use, sell, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative works of the vulnerabilities you submit to us or use the above license in other ways;

· Agree to sign any documents required by us or our designee to confirm the above rights granted by you;

· Understand and acknowledge that TCL may have produced or commissioned to produce material similar or identical to your vulnerability report and that you waive any claims arising from the similarity to your vulnerability report;

· Understand that we do not guarantee to provide you with payment or credit for the use of your vulnerability report; and

· Represent, declare and warrant that your vulnerability report is your own work, that you are not using information owned by another person or entity, and that you have all applicable legal rights to provide the vulnerability report to TCL.

 

6. Restrictions and Confidentiality on Vulnerability Disclosure

 

When reporting any and all vulnerabilities to TCL, you must follow the vulnerability disclosure restrictions. Failure to comply with the vulnerability disclosure restrictions may result in you becoming ineligible for a Bounty and/or disqualify you from future participation in the Program.

 

You are obligated to keep confidential all the information about TCL’s vulnerabilities submitted to us in any vulnerability report. Without prior written consent signed by an authorized TCL representative, it is forbidden to disclose the vulnerability report or any information related to the vulnerability report to any third party including, but not limited to, disclosing such information through speeches, blogs, publication of technical articles, etc., unless TCL has first publicly disclosed it. You shall not discuss the vulnerability in any form before TCL informs you of the vulnerability repair. Notwithstanding the preceding, if you are required by law to disclose such information, you are permitted to do so provided that you provide us with notice prior to such disclosure and with enough time so as to allow us to seek protective treatment of such disclosure unless relevant law explicitly forbids you from providing us with such notice. Please contact TCL if you want to discuss the vulnerability after it is fixed. You must refrain from making any public statements or disclosures about the vulnerability report for at least 30 days after receiving TCL’s notification that the submitted vulnerability has been fixed.

 

If you learned any technology, trade secrets and related confidential information from your participation in the Program, you shall abide by applicable laws and regulations including those addressing intellectual property rights, unfair competition and trade secrets. You are responsible for treating any communications from us or other information you learn from your participation in the Program confidential. Without receiving prior written consent signed by an authorized TCL representative, you shall not disclose, transfer, permit use of, exchange or grant access to the information to any other organization or individual, or improperly use it with any other organization or individual in any manner.

If   you violate any of the above terms, we reserve the right to seek a refund of any Bounty we paid for your vulnerability, and to disqualify you from participating in our Program in the future. If we incur any damages as a result of your violation of this Section 6, we reserve the right to seek compensation from you and to exercise any other remedies available to us at law or equity.

 

The provisions of this Section 6 shall survive termination of the Program or this agreement and remain binding for a period of five (5) years from the date of termination of the Program or this agreement.

 

 

7. Review of Vulnerability Report

 

TCL reserves the sole right to decide which vulnerability reports are eligible for, and to decide the amount of, any Bounty that can be obtained according to provisions in these Terms. If we receive multiple vulnerability reports from different parties about the same vulnerability, the Bounty will be granted to the first qualified vulnerability report. We reserve the right to not review or otherwise consider vulnerability reports submitted by you for any reason in our sole discretion.

 

8. Bounty Payment

 

All decisions made by TCL in connection with a Bounty are final and binding.

 

If TCL has determined that your vulnerability report is eligible for the Bounty, we will notify you of the Bounty amount, denominated in the currency of our choosing and request the necessary information from you to make the payment, such as email address, contact telephone number, contact address, name, bank card number, wiring information, etc. If you fail to provide the necessary information or you provide inaccurate information within the notification period, you will be deemed to have waived the Bounty. We assume no liability for erroneous or inaccurate information submitted to us by you and we are under no obligation to verify the information provided by you to us.

 

In case of any dispute over who is the eligible reporter, the account holder of the email address used to participate in the Program will be determined as the eligible reporter or we shall use some other means to resolve the dispute in our sole discretion.

 

9. Privacy

 

Please refer to TCL's Privacy Policy for information regarding the collection, processing and use of personal data related to this Program.  

 

10. Termination

 

Unless otherwise agreed in these Terms, TCL has the right to terminate your participation in the Program by providing notice to you at any time under the following cases:

 

· You violate any provision of these Terms;

 

· As required by applicable laws and regulations or the requirements of administrative and judicial organs;

 

· It is not practical and feasible for TCL to continue to perform these Terms due to any changes in applicable laws or policies; or

 

· The fact that TCL continues to perform these Terms will cause a significant economic or technical burden or substantial security risks to the Company due to reasons that arise from your participation in the Program or for any other reasons determined by TCL in its sole discretion.

 

11. NO WARRANTY and Limitation of Liability

 

As permitted by applicable laws, we do not provide or make any express or implied guarantee or warranty related to the Program. You understand that the risk of participating in the Program is borne solely by you.

 

To the extent permitted by applicable law, we disclaim responsibility for any consequential, lost profits, special, indirect, incidental, or punitive losses related to or caused by these terms, no matter how they occur, whether or not they are caused by the violation of these Terms, even if we have been informed of the possibility of such losses in advance.

 

12. Changes to These Terms

 

You understand and agree that we can send you a notification via webpage announcement or e-mail, SMS or similar method of contact provided by you at our discretion. The notification is deemed to have been delivered on the date of sending or posting.

 

TCL reserves the right to change the contents of these Terms at any time, and to make notification of it by means of message, mail, webpage announcement, or by posting such revised or modified terms. If you continue to participate in the Program in any form after the change(s) of the content of these Terms takes effect, it means that you have fully read, understood and accepted the revised terms, and will also abide by the revised terms. If you disagree with the new terms, you are not allowed to participate or to continue your participation in the Program.

 

13. Governing Law and Dispute Resolution

 

These Terms are governed by the laws of the People’s Republic of China (excluding the laws of Hong Kong SAR, Macao SAR and Taiwan) (China), except as otherwise provided by any mandatory applicable law in your jurisdiction, in which case the governing law in relation to all or particular rights and obligations of the parties shall be the laws of your usual place of residence.

 

The United Nations Convention on the International Sale of Goods is specifically excluded from application to these Terms.

 

To the extent permitted by applicable law, in the event of a dispute arising out of or in connection with your participation in the Program, TCL and you shall attempt, promptly and in good faith, to resolve any such dispute. In the event that no resolution can be concluded within 30 days from the date when such dispute has first been raised by either party, either party shall have the right to submit the dispute (which may be contractual or non-contractual) to the competent courts of China as the exclusive dispute resolution venue, unless applicable mandatory consumer protection laws in your jurisdiction prohibits from conferring such jurisdiction in which case the court of your usual place of residence will apply to such disputes related to these Terms. This does not affect your right to start proceedings to protect your legal position.

 

Class Action Waiver: any dispute, whether in arbitration, in court or otherwise, will be conducted solely on an individual basis. TCL and you agree that no party will have the right or authority for any dispute to be arbitrated as a class action, a private attorney general action, or in any other proceeding in which either party acts or proposes to act in a representative capacity. No arbitration or proceeding will be joined, consolidated, or combined with another arbitration or proceeding without the prior written consent of all parties to any such arbitration or proceeding.

 

If you do not agree to be bound by the above Class Action Waiver, then: (A) you must notify TCL in writing within 60 days of the date that you participate in the Program; (B) your written notification must be mailed to our Legal Department at 9/F, Building D4, International E-city, No.1001 Zhongshanyuan Road, Nanshan District, Shenzhen, PRC.; and (C) your written notification must include (1) your name, (2) your address, (3) the date you participate in the Program, and (4) a clear statement that you wish to opt out of the class action waiver.

 

14. Integrity

 

These Terms, the TCL Vulnerability Bounty Rules, the Privacy Guideline for TCL Vulnerability Bounty Program, and the specific vulnerability Bounty program rules (collectively, the “Incorporated Agreements”) constitute the entire agreement between you and TCL regarding your participation in the Program. These Terms and the Incorporated Agreements replace all terms and conditions of the participation program previously signed between you and TCL. All parts of these provisions will be implemented as permitted by relevant laws. If any provision of these Terms or the Incorporated Agreements is invalid, illegal, or unenforceable in any applicable jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other term or provision of these Terms or the Incorporated Agreements or invalidate or render unenforceable such term or provision in any other jurisdiction. In the event of a conflict between these Terms and the Incorporated Agreements or any conflict between the individual agreements that comprise the Incorporated Agreements, the order of precedence shall be: (i) these Terms; (ii) the specific rules applicable to the relevant Bounty program; (iii) the TCL Vulnerability Bounty Rules; and then (iv) the Privacy Guideline for TCL Vulnerability Bounty Program.

 

15. Language

 

Any translation of these Terms is done for local requirements or convenience and in the event of a dispute between the Chinese and any non-Chinese versions, the Chinese version of these Terms shall govern, to the extent not prohibited by local law in your jurisdiction.

 

16. Others

 

You're responsible for properly keeping the information such as email address and login password used for submitting vulnerability reports. You are responsible to make sure that all actions represent your own will, and you will bear the corresponding legal consequences.

 

You understand and agree that we have the right to inquire and disclose personal information and these Terms or the like according to the requirements of applicable law.

 

If you send any opinions concerning aspects including but not limited to new products, technologies, promotions, product names, product feedback and product improvement to TCL through the program or any other ways, TCL does not ensure whether your opinions will be regarded as confidential or proprietary information.


Privacy Guidelines for TCL Vulnerability Bounty Program

Last updated date: [2021], [1], [31].

Privacy Guidelines for TCL Vulnerability Bounty Program (“Guidelines”) explains TCL personal information protection matters related to TCL Vulnerability Bounty Program in detail, which will serve as a supplement to TCL Global Privacy Notice (please click and read the full version of TCL Global Privacy Notice to learn more about our processing rules of personal information. In case of any inconsistency between TCL Global Privacy Notice and the Guidelines, the Guidelines shall prevail.

1. The purpose of collection, storage, processing and use of your personal information

We may collect, store, process and use your personal information for the following purposes as described in the Guidelines:

1.1 To complete your participation in the [TCL Vulnerability Bounty Program]

1.2 To facilitate our communication with you about the [TCL Vulnerability Bounty Program]

1.3 To make the payment of the corresponding bounty in [TCL Vulnerability Bounty Program] (if we confirm that you are eligible for bounty)

2. Personal information which you shall authorize us to collect and use

2.1 Essential information that you voluntarily provide for participating in the [TCL Vulnerability Bounty Program]

When you participate in this Program, in order to complete the submission of the vulnerability report, we need to collect some personal information, such as email address, etc. If you do not provide such essential information, we cannot effectively collect the vulnerability information submitted by you.

2.2 Information essential for our communication with you

In order to collect vulnerability information and vulnerability report, we will use your mobile phone number, e-mail address and other contact information you provide to communicate with you.

2.3 Information essential for payment of bounty

If the security vulnerability submitted by you meets the requirements of our bounty program, we will pay you the corresponding bounty. In order to make the payment, we need to collect your relevant personal information, including your real name, mobile phone number, ID and other personally identifiable information as well as the bank account used for payment collection and the name of the opening bank, etc.

3. Your rights

During your participation in the [TCL Vulnerability Bounty Program],we recognize your privacy rights, such as requesting access to, recitify or delete your personal information. Please contact us through the methods provided in the “Contacting us” section of TCL Global Privacy Notice if you need to exercise your rights.

4. Data retention

Unless otherwise required by laws and regulations, we will retain your personal information only for as long as necessary for aforementioned purpose, and after the period specified by laws or competent authorities has expired, we will delete or anonymize your personal information in accordance with the requirements of laws and regulations.

5. Others

5.1 Unless otherwise specified, the proper nouns or terms used in the Guidelines are strictly consistent with TCL Global Privacy Notice .

5.2 The Guidelines may be updated irregularly to reflect changes in personal information practices related to this Program or revisions in applicable laws. We will issue notifications of any significant changes to the Guidelines, and indicate the latest update time at the top of the Guidelines.

5.3 As for disputes and complaints concerning privacy protection of the [TCL Vulnerability Bounty Program], besides the contact information in the TCL Global Privacy Notice, you can also contact us via:

Customer service e-mail: [security@tcl.com]

5.4 The Guidelines shall come into force as of the date of the lastest update.

6. The Guidelines is a supplementary notice and commitment concerning the privacy matters of the TCL Vulnerability Bounty Program. For other detailed privacy-realated information, please refer to the TCL Golobal Privacy Notice