Bounty Policy

From:TSRCUpdate Date:2020-04-08

Tencent looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have discovered a vulnerability, kindly disclose to us responsibly via the Tencent Security Response Centre (TSRC).

Rules of Engagement

Any design or implementation issue that is reproducible and substantially affects the security of Tencent users is likely to be in scope for the program.

However, only reports that meet the following requirements are eligible to receive a monetary reward:

  • You must be the first reporter of the vulnerability
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • The vulnerability must demonstrate security impact to a site or application in scope (see Scope below)
  • Accessing private information of other users, performing actions that may negatively affect Tencent users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken
  • When testing, you must use your own test accounts in order to respect our users’ privacy, especially those which may compromise the privacy of others.
  • Vulnerability Disclosure:
    • You must not have publicly disclosed the vulnerability prior to the report being closed and should be in compliance with the process described in the Tencent Vulnerability Disclosure Guidelines.
    • Please take note that any form of vulnerability disclosure prior to consent from Tencent may result in disqualification from the bug Bounty program
  • We can’t be legally prohibited from rewarding you.


Rewards

Rewards are stated in USD.

All reports will be reviewed based on the impact and severity of the reported vulnerability. Tencent may choose to pay extra higher rewards, up to a maximum of $28,000 bounty for special promotion we run, unusually clever, severe, or highly influential vulnerabilities, as well as lower rewards for vulnerabilities that require significant or unusual user interaction.

The decision to grant a monetary rewarded and the final amount for a vulnerability will be within the discretion of the Tencent Security Team.

Any report that results in a change being made will at a minimum receive the Hall of Fame recognition.


The main categories of vulnerabilities that we are concerned about are:

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Access Control Issues (Insecure Direct Object Reference issues, etc.)
  • Exposed Administrative Panels that without strong protection
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Vast Users’ Sensitive Information Leakage
  • Vast Order details Leakage

In-Scope Assets

The scope listed here are Tencent owned and operated. For more information, please visit https://www.tencent.com/en-us/business.html.

Vulnerabilities affecting assets not listed in the scope of this program will not be eligible for a bounty.

1. Core Assets

  • Mobile Assets (iOS and Android)
    • Weixin/WeChat
    • QQ
  • Windows Executable
    • Weixin/WeChat
    • QQ
  • Mac OS Executable
    • Weixin/WeChat
    • QQ

2. Other In-Scope Assets:

Out-of-Scope Assets

Please note that the vulnerabilities reported for the following assets will not be eligible for bounties.

  • *.qzoneapp.com
  • *. myqcloud.com
  • Third-party applications and websites

*Notes about Tencent Cloud (cloud.tencent.com as included in *.tencent.com)

Only vulnerabilities affecting the platform itself and IP owned by Tencent will be accepted. If an IP belongs to Tencent Cloud external customer, it is not considered in scope.

Test Plan

You can use a QQ or Wechat account to log into all Tencent’s assets.

1. To register a QQ account, please go to https://ssl.zc.qq.com/v3/index-en.html?type=0 and follow the instructions.

2. To register a Wechat account, please download an WeChat app from App store or through Android system, then follow the registration guide.

Once you have a QQ or WeChat account, you can start testing.

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope (either ineligible or false positives):

  • "Self" XSS
  • Session fixation
  • Content Spoofing
  • Missing cookie flags
  • SSL/TLS best practices
  • Mixed content warnings
  • Clickjacking/UI redressing
  • Flash-based vulnerabilities
  • Admin panel can be brute force
  • Local denial of service of Mobile APP
  • Reflected file download attacks (RFD)
  • Physical or social engineering attacks
  • Feedback,comment,message,etc. flooding
  • SMS/Email flooding for some of our business
  • CSRF/XSS with long or unpredictable parameter
  • Login/logout/unauthenticated/low-impact CSRF
  • Unverified Results of automated tools or scanners
  • No SPF/DMARC in non-email domains/subdomains
  • Attacks requiring MITM or physical access to a user's device
  • Issues related to networking protocols or industry standards
  • Error information disclosure that cannot be used to make a direct attack
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Information leakage that cannot be used to make a direct attack,like server IP,server version,path,error message,internal IP,etc.

Detecting SSRF

We have set up a "demo" service for SSRF testing. If you believe you have an SSRF in production, please use either of the following IP/port combinations for testing:

http://10.204.9.230:80 aka http://tst.qq.com/flag.html

This service will accept HTTP requests to any endpoint, of any request type, and will return a secret token in both headers and response body.