[TPSA20-22] With bounties up to USD$140,000!


TSRC is formally launching a special project that focuses on Tencent’s own server and IoT operating system. We sincerely invite all white hat researchers to find possible vulnerabilities in Tencent OS and report them to TSRC. We look forward to working with you to further enhance the security of Tencent and its millions of users around the world.

The special project will last throughout the year and the maximum bounty for a single vulnerability will be up to USD$140,000. 

【Project Duration】

Starting from 8 June 2020 09:00 (GMT+8) to 31 December, 2020 23:59 (GMT+8)

【In-Scope Assets】


TSRC will award a maximum bounty of USD$140,000 for a single valid vulnerability. The reward assessment guidelines are as follows:

•   Other eligible vulnerabilities not mentioned in the table above:
          Researchers reporting other eligible vulnerabilities not mentioned in the above table will receive twice the regular monetary rewards and credits stated in our policy page. 

•   Please refer to the Tencent policy page to view the regular bounty table.

【Report Submission】

Please note that all vulnerability reports associated with this project must be submitted on TSRC (https://en.security.tencent.com/index.php/report/add), using the title starting with "[Tencent OS]". 

If multiple researchers report the same vulnerability, the reward will be awarded to the first reporter.

【Rules of Engagement】

1. Please download the corresponding system from the provided download link and test it locally.

Please DO NOT conduct test in live Tencent network environment. 

2. The in-scope assets only include the OS system itself and does not include self-installed third-party software/components. 

3. An effective recurring exploitation must be clearly explained and provided, and the specific vulnerability rating will determined by CVSS. 

4. If the researcher has any questions about the scope, submission process, vulnerability assessment and rating, etc., please use the comment function of your vulnerability report page or contact us at security@tencent.com directly. TSRC will protect the due rights of researchers, and if necessary, may bring in external parties to make a joint decision.