[TPSA19-1]TSRC Bug Bounty Program Policy (applicable only to International Plans)


This standard is invalid. Please check the latest standard: https://en.security.tencent.com/policy


0x00 Reporting 

Tencent believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you have found any security (technical) vulnerability in the products or services of Tencent, you are welcomed to submit a vulnerability report on https://en.security.tencent.com. We will work with you to resolve the issue promptly.

0x01 Processing 

TSRC (Tencent Security Response Center) will review and respond as quickly as possible to your submission, and keep you informed as we work to fix the vulnerability you submitted. We may contact you for further information if necessary. 

0x02 Scope 

Tencent delivers integrated internet solutions to billions of people through its “user oriented” business philosophy. All the assets of Tencent group are in scope, including but not limited to Tencent websites, mobile applications (e.g. Mobile QQ, Wechat and QQ Browser for Android / iOS), web applications and key desktop applications (e.g.Tencent QQ standard version for desktop user).
Our main domains include but are not limited to: 


0x03 Qualifying vulnerabilities 

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in the scope for the bounty program.

0x04 Non-qualifying Vulnerabilities 

Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to: 

• Bugs that do not have security impacts.
Examples: Bugs regarding the encoding of the page, failure in opening the web page, failure in specific functions. 

• Vulnerabilities that cannot be exploited.
Examples: Scanning system reports that are without practical meanings (e.g. the version of Web Server is out-of-date), Self-XSS, JSON Hijacking that cannot give access to sensitive information, CSRF that cannot perform sensitive operations (e.g., favoriting, adding the item to the cart, subscribing unimportant businesses or services, modifying profile of the user of unimportant business), leakage of source code that can hardly be exploited, leakage of IP / domain of intranet, phishing via HTTP Basic Authentication dialogue, issues related to trust of the path of the applications, leakage of logcat information without sensitive information. 

• Wild guess without any proofs.
Example: Inferred vulnerabilities based on the fact that QQ account getting hacked. 

• Applications that are not belong to Tencent.

Thank you for helping keep Tencent and our users safe! 

Detailed Policy can be seen in:

If you have anything in doubt, feel free to contact us at security@tencent.com