自2020年5月到6月期间，昵称为“Windows no bugs”的安全专家陆续向360SRC提交了一枚严重、两枚高危的0day漏洞，提供了完整细致的报告（包括如何发现漏洞、漏洞的具体位置、详细利用方法及视频等），并积极与我们保持沟通协助相关问题的确认和修复工作。截止目前，漏洞已完成全面修复，暂未发现有用户因该漏洞导致的信息泄露和损失。我们对他表示由衷的感谢！

具体有效漏洞名称为：

CVE-2020-15722

在360安全卫士12.1.0.1004版本及以下的版本中，360安全卫士TPI调用浏览器进程时，存在本地提权漏洞，攻击者可通过dll劫持在本地系统执行任意代码

CVE-2020-15723

在360安全卫士12.1.0.1004版本及以下的版本中，360安全卫士主程序调用GameChrome.exe时，存在本地提权漏洞，攻击者可通过dll劫持绕过主动防御，在本地系统执行任意代码

CVE-2020-15724

在360安全卫士12.1.0.1005版本及以下的版本中，游戏管家调用GameChrome.exe时，存在本地提权漏洞，攻击者可通过dll劫持绕过主动防御，在本地系统执行任意代码

依据360SRC漏洞奖励规则（https://security.360.cn/Reward/reward），360SRC对这位安全专家提交的漏洞进行评估和发放税后奖金_2100_美元（从人民币兑换外币的计算应以兑换当日由中国人民银行公布的汇率为准）。

对于白帽子们提交的优质漏洞，确认有效后，360SRC除了现金奖励以外，还可申请和发放CVE编号。可申请CVE的产品范围为：360 Total Security, 360 Safeguard, 360 Mobile Safe, and 360 Safe Router products, and vulnerabilities in third-party products discovered by 360

360SRC真诚感谢每一位白帽子和安全生态伙伴，帮助我们不断完善360安全体系、提升产品的安全性，让用户安心畅享万物互联世界。

360SRC在法律允许的范围内对以上内容拥有解释权与修改权。

Since May to June 2020, a security researcher ID: ”Windows no bugs” had submitted one CRITICAL and two HIGH level 0day vulnerabilities of 360 Security Response Center. with complete and detailed reports (including how to find the vulnerability, the specific location of the vulnerability, detailed utilization methods and videos, etc), and actively maintained communication with us to assist in the confirmation and repair of related problems.We are so deeply grateful for his contribution to our product security.

These vulnerabilities involved:

CVE-2020-15722

In version 12.1.0.1004 and below of 360safeguard,

when TPI calls the browser process,

there exists a local privilge escalation vulnerability.An attacker who could exploited DLL hijacking could execute arbitrary code on the Local system.

CVE-2020-15723

In the version 12.1.0.1004 and below of 360safeguard,

when the main process of 360 Total Security calls GameChrome.exe, there exists a local privilge escalation vulnerability.

An attacker who could exploited DLL hijacking to bypass the hips could execute arbitrary code on the Local system.

CVE-2020-15724

In the version 12.1.0.1005 and below of 360safeguard,

when the Gamefolde calls GameChrome.exe, there exists a local privilge escalation vulnerability.

An attacker who could exploited DLL hijacking to bypass the hips could execute arbitrary code on the Local system.

Up to now, no information leakage or loss caused by these vulnerabilities has been found.

We have evaluated the vulnerabilities he submitted and awarded him_2100_USD (Conversion from RMB to USD shall be made at the exchange rates published by the People's Bank of China on the date of such conversion.) subject to the 360SRC Vulnerability Reward Rules (https://security.360.cn/Reward/reward).

The 360 Company reserves the right ofinterpretation to the maximum extent permitted by law.