AdsPower
AdsPower

Bug Bounty

AdsPower has been committed to protecting the information security of users. We welcome white hats to report security vulnerabilities of AdsPower to us to help us improve the security of system and business. Report vulnerability email: security@adspower.net .


AdsPower vulnerability hazard assessment rules

Serious
  1. Vulnerabilities that directly obtain system permissions. Including but not limited to command injection, remote command execution, and upload to obtain WebShell.
  2. Serious level of sensitive information leakage. Including but not limited to information leakage that has a huge impact on the company or users, multi-dimensional and huge sensitive data, and sensitive information leakage caused by interfaces.
  3. Vulnerabilities that leak a large amount of core sensitive data, including but not limited to: SQL injection vulnerabilities of core DB, large-scale leakage caused by user sensitive information interface overreach.
  4. Arbitrary remote code execution without user interaction or simple user interaction, remote arbitrary file reading and writing.
  5. Vulnerabilities such as administrator permissions of key basic systems such as clusters or bastion hosts can be directly obtained.
High risk
  1. Exploitable SQL injection vulnerabilities (obtaining user).
  2. Logical vulnerabilities that directly lead to serious impacts. Including but not limited to arbitrary account password change vulnerabilities and arbitrary user login vulnerabilities.
  3. Vulnerabilities in the client's own functions. Including but not limited to obtaining client permissions remotely to execute arbitrary commands and codes.
  4. Unauthorized access. Including but not limited to bypassing authentication to access the management backend, unauthorized access to multi-dimensional sensitive information.
  5. Local arbitrary code execution. Including but not limited to local code execution vulnerabilities caused by locally exploitable code execution and other logical problems. (Product local arbitrary code execution caused by DLL hijacking due to system defects is not included in the scope of collection)
Medium risk
  1. Ordinary information leakage. Including but not limited to unauthorized access that affects a limited amount of data or a limited degree of sensitivity, source code or system logs, or SSRF vulnerabilities without information echo.
  2. Vulnerabilities that require victim interaction or other prerequisites to obtain user identity information. Including but not limited to JSON Hijacking, operations (such as payment operations, publishing information or modifying personal account sensitive information operations) containing user and website sensitive data, CSRF, and stored XSS.
  3. Ordinary logical defects and unauthorized access. Including but not limited to general unauthorized behavior and design defects.
  4. Ordinary design defects, including but not limited to login window blasting (successful cases must be provided), weak passwords and other problems.
Low risk
  1. Minor information leakage, including but not limited to vulnerabilities that can log in to the backend but have no permissions or data operations, PHPinfo, local SQL injection, recent log printing and configuration leakage.
  2. Vulnerabilities that can only obtain user information under specific circumstances, including but not limited to reflected XSS (including DOM type).
  3. Vulnerabilities with limited exploit scenarios, including but not limited to SMS bombing, URL jump, system database collision interface, etc.


General principles for vulnerability assessment

  1. Weak password problem: For multiple users of the same system, only the first weak password problem is confirmed, and subsequent submissions are considered duplicate vulnerabilities; the same user's weak password can log in to different systems, which is considered the same vulnerability and merged.
  2. For SQL injection vulnerabilities, one of the data must be noted to prove the harm. It is strictly forbidden to drag the library table. Simple error reporting without proof of harm will be ignored.
  3. Unless otherwise stated, the previous and subsequent related vulnerabilities are merged and rewarded according to the highest level of vulnerability, such as submitting a weak password to enter the backend/intranet vulnerability first, and then submitting SQL injection and unauthorized vulnerabilities to enter the backend/intranet. The SQL and unauthorized vulnerabilities submitted later are merged and processed, and the auditor will communicate with the security docking personnel whether to allow further in-depth testing of the system. If permitted, normal testing can be performed, and problems found can be submitted separately.
  4. Multiple vulnerabilities generated by the same vulnerability source are counted as one vulnerability. On the web level, the same domain name or IP belongs to the same vulnerability source, and the vulnerability reward is based on the highest level vulnerability.
  5. For marginal/abandoned business systems, downgrade according to actual conditions.
  6. For vulnerabilities with harsh exploitation conditions, downgrade according to actual conditions.
  7. Definition of severe sensitive identity information:
    At least 3 sensitive fields: name/ID card, bank card information, mobile phone number/email, password, address;
    For information that does not meet the above conditions, it will be downgraded depending on the sensitivity of the information.
  8. For those who have obtained system permissions (such as webshell), downloading source code audits is prohibited. Please contact the auditor in advance. The auditor will communicate with the security docking personnel on relevant matters. If the security docking personnel agrees to the audit, follow-up operations will be carried out, and vulnerabilities found can be submitted separately. Otherwise, their behavior will be regarded as illegal operations, and the account will be frozen once discovered. The security docking personnel reserves the right to pursue legal liability for the severity of the situation.


Test red line

The first type of event:
  1. Vulnerability leakage, the vulnerability content is actively leaked to a third party.
  2. Data retention, testing sensitive information leakage (account passwords, sensitive keys, orders, personnel identity information, etc.), not completely deleting the relevant information obtained during the test one month after the vulnerability is confirmed.
  3. Improper storage, using the online storage service provided by the cloud disk or the local software with network synchronization function to store the relevant information obtained during the test, resulting in leakage.
  4. Concealment problem, the sensitive information found was not fully reported, and there was obvious reservation, or the relevant vulnerability was not reported within one week after the vulnerability was found.
  5. Customer impact, the test slightly affected the use of other users' products, causing a small number of complaints and other negative feedback.


Second type of incident:
  1. Production accident, the test caused important business interruption and directly caused large-scale failures.
  2. Harming users, the test affected a large number of users, causing a large number of complaints from the user side
  3. Sensitive data, do not exceed 50 requests for sensitive data.
    Note: 50 sensitive data requests is the bottom line, but it does not mean that 49 are compliant, and the test should not exceed 5 in normal times; the law stipulates that no more than 50 personal information can be obtained, so the unauthorized vulnerability needs to be cautious to ensure its own safety. "Controllable" is also one of the requirements in professional penetration testing.
  4. Deep exploitation, rejecting intranet penetration, prohibiting the use of scanners in the intranet after obtaining intranet permissions, or horizontally contacting non-test target targets, obtaining intranet application/host permissions, etc.
  5. Integrity destruction, using unauthorized deletion and other issues, causing integrity destruction of the online system, resulting in loss of important data.
  6. Availability destruction, using DOS-type defects or other methods (such as DDoS or CC attacks, etc.), causing availability destruction of the online system, resulting in system unavailability.
  7. Social engineering attacks, such as using phishing emails to attack, further planting Trojan viruses, stealing company secrets, etc.
  8. Other behaviors that intentionally endanger the security of computer information networks and cause serious consequences.


For unintentional downloading, deletion, etc., please immediately delete local data, restore online business, and report to the vulnerability reviewer.

Assets included:

*.adspower.com

*.adspower.net

Desktop client (three terminals)


Vulnerability reward standard

Vulnerability Unit Price List: USD, excluding tax. (Subject to dynamic adjustment based on circumstances)

Vulnerability level

Serious

High risk

Medium risk

Low risk

Unit price

750

375

187

25



Drive revenue with AdsPower
Start free