Vulnerability Assessment Standard

360 sincerely believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you have found any security issue in our products or services, we encourage you to notify us. We look forward to working with you to resolve the issue promptly.

In order to avoid misunderstandings and ambiguities, we apply the following assessment standard; even if lengthy, please read them in their entirety before submitting report.

Each qualified vulnerability report will be rated by its severity. The classifications from high to low are Critical, High, Moderate and Low.(No bounty will be awarded if the vulnerability reported is rated Low.)

Botslab Smart Camera

• Target Device

Botslab Smart Camera (versions: Indoor Cam 2C211、Indoor Cam 2EC212、Indoor Cam C201)

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependencies vulnerabilities.

• Remote Information Disclosure: Reward up to $50,000

Unauthorized capture of encrypted video traffic and decryption of ciphertext into plaintext outside of the LAN (The decrypting method has to be repeatable and generalizable.)

• Code Execution in Local Area Network (LAN): Reward up to $25,000

Unauthorized root access and arbitrary code execution by sending malicious packets within the LAN (Physical contact such as disassembling is not allowed.)

• Remote Denial of Service: Reward up to $7,000

Device system damage by malicious packets sending.

Botslab DoorBell

• Target Device

Botslab Video Doorbell2Pro R811

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependencies vulnerabilities.

• Remote Information Disclosure: Reward up to $50,000

Unauthorized capture of encrypted video traffic and decryption of ciphertext into plaintext outside of the LAN (The decrypting method has to be repeatable and generalizable.)

• Code Execution in Local Area Network (LAN): Reward up to $25,000

Unauthorized root access and arbitrary code execution by sending malicious packets within the LAN (Physical contact such as disassembling is not allowed.)

• Remote Denial of Service: Reward up to $7,000

Device system damage by malicious packets sending.

Botslab Watch

• Target Device

Botslab Kids Watch E3

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependencies vulnerabilities.

• Remote Exploits: Reward up to $50,000

Vulnerabilities such as code execution and command execution caused by some remote exploits like downloading and remote protocol connections.

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Local Exploituon: Local Exploits: Reward up to $13,000

Vulnerabilities that can execute arbitrary code or program caused by certain non-contact circumstances like Wi-Fi network or blue tooth communication.

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Denial of Service and other special vulnerabilities: Reward up to $13,000

Flaws that can be exploited to attack resident service or bottom drive program and make the device in downstate. Others will be processed as normal program bugs.

Botslab Dash Cam

• Target Device

Botslab Dash Cam (versions: Dash Cam G580H、Dash Cam HK30)

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependencies vulnerabilities.

• Remote Exploits: Reward up to $50,000

This rating is given to flaws such as code execution and command execution caused by some remote exploits like downloading and remote links.

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Code Execution in Local Area Network (LAN): Reward up to $13,000

The unauthorized attacker out of or in the same LAN gain root privilege and execute arbitrary code by sending malicious packets.(Physical contact like disassembling is not allowed.)

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Unauthenticated Access: Reward up to $13,000

The unauthorized attacker gets arbitrary data of device without physical contact. (The decryption method can be commonly used.)