Vulnerability Assessment Standard

360 sincerely believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you have found any security issue in our products or services, we encourage you to notify us. We look forward to working with you to resolve the issue promptly.

In order to avoid misunderstandings and ambiguities, we apply the following assessment standard; even if lengthy, please read them in their entirety before submitting report.

Each qualified vulnerability report will be rated by its severity. The classifications from high to low are Critical, High, Moderate and Low.(No bounty will be awarded if the vulnerability reported is rated Low.)

360 Smart Phone

• Target Device

360 Smart Phone N5, 360 Smart Phone N5S.

• Scope

360 mobile application vulnerabilities: pre-installed applications in 360 mobile phones and general 360 mobile applications, such as 360 Mobile Browser.

360 mobile phone system vulnerabilities: MSM and MTK driver vulnerabilities, common Linux kernel vulnerabilities.

• Remote Exploits: Reward up to $50,000

Vulnerabilities that can be exploited remotely, such as remote code execution.

Critical & High: Silent execution beyond the original function without interaction.

• Local Exploits: Reward up to $13,000

Vulnerabilities that can be exploited locally, such as installation of applications and execution of binary.

Critical & High: Silent execution beyond the original function without interaction.

360 Router

• Target Device

360 Router P0, 360 Router P1, 360 Router P2, 360 Wi-Fi Extender.

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependency vulnerabilities.

• Remote Code Execution: Reward up to $50,000

Unauthorized root access to devices and remote code execution by remote Internet attackers via public IP communication (Physical contact such as disassembling is not allowed.)

• Code Execution in Local Area Network (LAN): Reward up to $13,000

Unauthorized root access to devices and code execution via intranet IP communication (Physical contact such as disassembling is not allowed.)

• Remote Code Execution: Reward up to $7,000

Unauthorized root access to devices and router system damage by remote Internet attackers via public IP communication (Physical contact such as disassembling is not allowed.)

360 Smart Camera

• Target Device

360 Smart Camera (the Basic Version, the 1080P HD Version, the Night Vision Plus, the Waterproof Version), 360 Security Monitoring.

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependencies vulnerabilities.

• Remote Information Disclosure: Reward up to $50,000

Unauthorized capture of encrypted video traffic and decryption of ciphertext into plaintext outside of the LAN (The decrypting method has to be repeatable and generalizable.)

• Code Execution in Local Area Network (LAN): Reward up to $25,000

Unauthorized root access and arbitrary code execution by sending malicious packets within the LAN (Physical contact such as disassembling is not allowed.)

• Remote Denial of Service: Reward up to $7,000

Device system damage by malicious packets sending.

360 Watch

• Target Device

360 Watch (versions: 5, 5s, 5c, se, 3s)

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependencies vulnerabilities.

• Remote Exploits: Reward up to $50,000

Vulnerabilities such as code execution and command execution caused by some remote exploits like downloading and remote protocol connections.

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Local Exploituon: Local Exploits: Reward up to $13,000

Vulnerabilities that can execute arbitrary code or program caused by certain non-contact circumstances like Wi-Fi network or blue tooth communication.

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Denial of Service and other special vulnerabilities: Reward up to $13,000

Flaws that can be exploited to attack resident service or bottom drive program and make the device in downstate. Others will be processed as normal program bugs.

360 Dash Cam

• Target Device

Second generation Dash cam series, Rearview mirror Dash cam series.

• Scope

Logic vulnerabilities, system vulnerabilities, internal dependencies vulnerabilities.

• Remote Exploits: Reward up to $50,000

This rating is given to flaws such as code execution and command execution caused by some remote exploits like downloading and remote links.

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Code Execution in Local Area Network (LAN): Reward up to $13,000

The unauthorized attacker out of or in the same LAN gain root privilege and execute arbitrary code by sending malicious packets.(Physical contact like disassembling is not allowed.)

Critical: Default execution beyond the original function without interaction.

High: Default execution beyond the original function with interaction.

• Unauthenticated Access: Reward up to $13,000

The unauthorized attacker gets arbitrary data of device without physical contact. (The decryption method can be commonly used.)