Tencent looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have discovered a vulnerability, kindly disclose to us responsibly via the Tencent Security Response Centre (TSRC).
Rules of Engagement
Any design or implementation issue that is reproducible and substantially affects the security of Tencent users is likely to be in scope for the program.
However, only reports that meet the following requirements are eligible to receive a monetary reward:
- You must be the first reporter of the vulnerability
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- The vulnerability must demonstrate security impact to a site or application in scope (see Scope below)
- Accessing private information of other users, performing actions that may negatively affect Tencent users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken
- When testing, you must use your own test accounts in order to respect our users’ privacy, especially those which may compromise the privacy of others.
- Vulnerability Disclosure:
- In order to protect user privacy, it is strictly forbidden to publicly disclose the vulnerability prior to the report being closed and the vulnerability being fixed.
- The disclosure should be under the authorization of TSRC. Please take note that any form of vulnerability disclosure prior to consent from Tencent may result in disqualification from the bug Bounty program.
- Feel free to contact us if you have any questions.
- We can’t be legally prohibited from rewarding you.
Rewards
Rewards are stated in USD.
All reports will be reviewed based on the impact and severity of the reported vulnerability. Tencent may choose to pay extra higher rewards, up to a maximum of $28,000 bounty for special promotion we run, unusually clever, severe, or highly influential vulnerabilities, as well as lower rewards for vulnerabilities that require significant or unusual user interaction.
The decision to grant a monetary rewarded and the final amount for a vulnerability will be within the discretion of the Tencent Security Team.
Any report that results in a change being made will at a minimum receive the Hall of Fame recognition.
The main categories of vulnerabilities that we are concerned about are:
- Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference issues, etc.)
- Exposed Administrative Panels that without strong protection
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Vast Users’ Sensitive Information Leakage
- Vast Order details Leakage
In-Scope Assets
The scope listed here are Tencent owned and operated. For more information, please visit https://www.tencent.com/en-us/business.html.
Vulnerabilities affecting assets not listed in the scope of this program will not be eligible for a bounty.
1. Core Assets
-
Mobile Assets (iOS and Android)
-
Windows Executable
-
Mac OS Executable
2. Other In-Scope Assets:
-
Web Assets
- *.qq.com
- *.tencent.com
- *.tenpay.com
- *.dnspod.cn
- *.weiyun.com
-
Mobile Assets (iOS and Android)
- Tencent Video
- Tencent News
- Tencent Sports
- Tencent Map
- Tencent Mobile Manager
- Qzone
- Weishi
- WeChat Pay
- QQ Wallet
- LiCaiTong
- YingYongBao
- 腾讯邮箱(QQ mailbox)
- 腾讯自选股(Tencent portfolio)
-
Windows Executable
- Tencent PC Manager
- QQ Browser
- QQ Mail
* Full list at https://pc.qq.com/category/c99.html (Just this page)
-
Mac OS Executable
- QQ for mac
- Wechat for mac
- Meeting for mac
* Full list at https://mac.qq.com/(仅限:腾讯专区)(Just: Tencent Area)
Out-of-Scope Assets
Please note that the vulnerabilities reported for the following assets will not be eligible for bounties.
- *.qzoneapp.com
- *. myqcloud.com
- Third-party applications and websites
*Notes about Tencent Cloud (cloud.tencent.com as included in *.tencent.com)
Only vulnerabilities affecting the platform itself and IP owned by Tencent will be accepted. If an IP belongs to Tencent Cloud external customer, it is not considered in scope.
Test Plan
You can use a QQ or Wechat account to log into all Tencent’s assets.
1. To register a QQ account, please go to https://ssl.zc.qq.com/v3/index-en.html?type=0 and follow the instructions.
2. To register a Wechat account, please download an WeChat app from App store or through Android system, then follow the registration guide.
Once you have a QQ or WeChat account, you can start testing.
Out-of-Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope (either ineligible or false positives):
- "Self" XSS
- Session fixation
- Content Spoofing
- Missing cookie flags
- SSL/TLS best practices
- Mixed content warnings
- Clickjacking/UI redressing
- Flash-based vulnerabilities
- Admin panel can be brute force
- Local denial of service of Mobile APP
- Reflected file download attacks (RFD)
- Physical or social engineering attacks
- Feedback,comment,message,etc. flooding
- SMS/Email flooding for some of our business
- CSRF/XSS with long or unpredictable parameter
- Login/logout/unauthenticated/low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/DMARC in non-email domains/subdomains
- Attacks requiring MITM or physical access to a user's device
- Issues related to networking protocols or industry standards
- Error information disclosure that cannot be used to make a direct attack
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Information leakage that cannot be used to make a direct attack,like server IP,server version,path,error message,internal IP,etc.
Detecting SSRF
We have set up a "demo" service for SSRF testing. If you believe you have an SSRF in production, please use either of the following IP/port combinations for testing:
http://10.204.9.230:80 aka http://tst.qq.com/flag.html
This service will accept HTTP requests to any endpoint, of any request type, and will return a secret token in both headers and response body.