AdsPower
AdsPower

Security Bug Bounty Program


AdsPower (hereinafter referred to as "we" or "the Company") is committed to ensuring the security of user information and systems. We welcome security researchers to help us identify and report potential security vulnerabilities in compliance with this policy.


Before participating in this program, please carefully read and fully understand all contents of this policy. By submitting vulnerabilities or conducting testing activities, you are deemed to have agreed to all terms and conditions of this policy.


This program does not constitute any form of legal offer or reward commitment. The Company reserves the final decision-making authority regarding vulnerability assessment and reward distribution.


Vulnerability Submission Email: security@adspower.net


Eligibility Statement: This Vulnerability Reward Program is open only to external security researchers. Current and former employees are not eligible to participate.


1. Safe Harbor Scope and Principles

Under the strict condition of complying with all terms of this policy, AdsPower authorizes security researchers to conduct limited security testing activities in good faith within the explicitly defined asset scope of this policy. This authorization applies only to activities that:

  1. Are solely for the purpose of discovering and reporting security vulnerabilities;
  2. Do not harm system availability, data integrity, or user rights;
  3. Strictly follow the principle of minimum necessity.

This authorization is limited only to the assets explicitly listed in this policy. Any actions beyond the authorized scope are not permitted by the Company, and individuals shall bear full legal responsibility.

This policy does not exempt any applicable laws (including but not limited to laws related to computer systems, data protection, or criminal law).


Legality Principle: All testing activities must strictly comply with applicable laws and regulations, including but not limited to the Cybersecurity Law of the People's Republic of China, Data Security Law of the PRC, and Personal Information Protection Law of the PRC. Nothing in this policy constitutes an exemption from these laws.


Non-Harm Principle: All testing must be conducted without harming user rights or affecting normal business operations. Any testing that may cause service interruption, data damage, or privacy leakage is strictly prohibited.


2. Scope of Testing

Limited to the following production assets:

  • *.adspower.com
  • *.adspower.net
  • AdsPower official desktop client (all platforms)

Any assets not listed are considered out of scope by default.


3. AdsPower Vulnerability Severity Classification

The following severity levels are for reference only. The Company reserves the right to adjust based on actual circumstances.


Critical

  • Vulnerabilities that directly grant system-level access, including but not limited to command injection, remote command execution, and webshell upload.
  • Severe sensitive information leakage with major impact on the company or users, including large-scale or multi-dimensional sensitive data exposure.
  • Vulnerabilities leading to massive leakage of core sensitive data, such as SQL injection in core databases or large-scale unauthorized access to user-sensitive interfaces.
  • Remote arbitrary code execution or file read/write with no or minimal user interaction.
  • Direct access to critical infrastructure systems such as clusters or bastion hosts.


High

  • Exploitable SQL injection vulnerabilities (e.g., retrieving user data).
  • Logic vulnerabilities causing serious impact, such as arbitrary password reset or account takeover.
  • Client-side vulnerabilities enabling remote command/code execution.
  • Unauthorized access, including bypassing authentication to access admin systems or sensitive data.
  • Local arbitrary code execution (excluding DLL hijacking caused by system defects).


Medium

  • General information disclosure, including limited-impact unauthorized access, source code leaks, logs, or SSRF without data return.
  • Vulnerabilities requiring user interaction or preconditions, such as JSON hijacking, CSRF (e.g., payment or account modification), and stored XSS.
  • General logic flaws and authorization issues.
  • Design flaws such as brute-forceable login interfaces (proof required) or weak passwords.


Low

  • Minor information disclosure, such as accessible backend without privileges, PHPinfo exposure, local SQL injection, logs, or configuration leaks.
  • Vulnerabilities exploitable only under specific conditions, such as reflected XSS (including DOM-based).
  • Limited-impact vulnerabilities such as SMS bombing, URL redirection, or credential stuffing interfaces.


4. General Principles for Vulnerability Assessment

  • Weak Passwords: Only the first reported case is accepted. Multiple accounts with the same issue are treated as duplicates.
  • SQL Injection: Must demonstrate impact by extracting at least one data record. Database dumping is strictly prohibited. Error-only reports without proof will be ignored.
  • Chained Vulnerabilities: Related vulnerabilities are merged and rewarded based on the highest severity.
  • Same Source: Multiple vulnerabilities from the same source (same domain/IP) count as one.
  • Deprecated Systems: May be downgraded based on actual impact.
  • Complex Exploitation: May be downgraded depending on difficulty.


Definition of Highly Sensitive Personal Information:
Must include at least 3 of the following:

  • Name / ID number
  • Bank card information
  • Phone number / email
  • Password
  • Address

Otherwise, severity will be downgraded based on sensitivity.


If system access is obtained (e.g., webshell), the following are strictly prohibited:

  • Downloading source code
  • Accessing databases
  • Retrieving user information
  • Accessing configuration files
  • Collecting logs

Further validation must be approved by reviewers. Unauthorized actions may result in account suspension and legal consequences.


5. Security Testing Code of Conduct

To ensure system stability and user data security, researchers must comply with the following:

  • Use self-registered test accounts whenever possible.
  • Do not access, obtain, download, or store real user data.
  • Verification should prove technical feasibility, not actual data extraction. Acceptable methods include:
    • Structural information (e.g., table/field names)
    • Access control changes
    • Masked or anonymized data
    • Other non-sensitive proof


Category 1

  • Do not disclose vulnerabilities before they are fixed.
  • Delete any sensitive data obtained during testing immediately after confirmation.
  • Do not store sensitive data in insecure environments (e.g., public cloud drives).
  • Submit vulnerabilities promptly and completely.
  • Avoid affecting normal user operations.
  • Do not bypass access controls unless:
    1. Within minimal scope
    2. No real user data involved
    3. No system/user impact


Category 2

  • Do not delete or tamper with system data.
  • Do not disrupt system availability or performance.
  • Do not use phishing or social engineering.
  • Do not engage in any activity that harms systems, users, or business.
  • If accidental actions occur, immediately:
    • Delete local data
    • Restore services
    • Report to reviewers


6. Vulnerability Reward Standards

Vulnerability Unit Price List: USD, excluding tax. (Subject to dynamic adjustment based on circumstances)


Severity

Critical

High

Medium

Low

Reward

375–750

187–375

62–187

12–25

(Overseas rewards use a fixed exchange rate, subject to adjustment.)


Reward Evaluation Criteria

Within each severity range, final rewards are determined based on:

  • Actual impact scope (single user / multiple users / entire platform)
  • Exploitation difficulty
  • Whether sensitive data or core business is involved
  • Potential damage after exploitation
  • Quality and completeness of the report

The final reward amount is determined by the Company's security team.



Drive revenue with AdsPower

Start free