This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Safe offense and defense UCloud vulnerability handling process and reward details
View: 12750|Reply: 0

[Security Vulnerability] UCloud vulnerability handling process and reward details

[Copy link]
Posted on 9/28/2015 12:14:33 AM | | |
Basic principles
1. UCloud attaches great importance to the security of its products and business, and has always been committed to ensuring the safety of users
    We look forward to enhancing UCloud's network through the Security Response Center by working closely with individuals, organizations, and companies in the industry
    Safety level.
2. UCloud We thank the white hat hackers who helped protect the interests of our users and help improve the UCloud Security Center
    and giving back.
3. UCloud opposes and condemns all vulnerabilities that use vulnerability testing as an excuse to destroy and harm users' interests
    Hacking activities, including but not limited to exploiting vulnerabilities to steal user information, invade business systems, modify, and steal related information
    unified data, malicious dissemination of vulnerabilities or data. UCloud will pursue legal responsibility for any of the above acts.
Vulnerability feedback and handling process
1. Submit vulnerability information via email, Weibo, or QQ group.
2. Within one business day, USRC staff will acknowledge receipt of the vulnerability report and follow up to begin assessing the issue.
3. Within three working days, USRC staff will address the issue, give a conclusion, and check the award. (If necessary, it will be given.)
    The reporter communicates and confirms, and asks the reporter to assist. )
4. The business department fixes the vulnerability and arranges the update to go online, and the repair time depends on the severity of the problem and the difficulty of repair.
5. Vulnerability reporters review vulnerabilities.
6. Distribute rewards.

Security vulnerability scoring criteria
For each level of vulnerability, we will conduct a comprehensive examination based on the technical difficulty of exploiting the vulnerability and the impact of the vulnerability
Consideration, divided into different levels, and given corresponding points.
According to the service level of vulnerability, the degree of vulnerability harm is divided into four levels: high risk, medium risk, low risk, and ignored
The vulnerabilities covered and the scoring criteria are as follows:
High risk:
Rewards: Shopping cards worth 1000-2000 yuan or gifts of the same value, including but not limited to:
1. A vulnerability that directly obtains system privileges (server privileges, database privileges). This includes but is not limited to remote arbitrary commands
    Execution, code execution, arbitrary file upload to get Webshell, buffer overflow, SQL injection to get system rights
    Limitations, server parsing vulnerabilities, file inclusion vulnerabilities, etc.
2. Serious logic design flaws. This includes but is not limited to logging in with any account, changing the password of any account, and verifying SMS and email
    Bypass.
3. Serious leakage of sensitive information. This includes, but is not limited to, serious SQL injection, arbitrary file inclusion, etc.

4. Unauthorized access. This includes but is not limited to bypassing authentication to access the background directly, background login weak password, SSH weak password, etc
    According to the library, the password is weak, etc.
5. Obtain user UCloud user data or permissions through the UCloud platform.
Medium Danger:
Rewards: 500-1000 yuan worth of shopping cards or gifts of the same value, including but not limited to:
1. Vulnerabilities that require interaction to obtain user identity information. Including storage-based XSS, among others.
2. Ordinary logic design defects. Including but not limited to unlimited SMS and email sending.
3. Non-focused product lines, exploiting difficult SQL injection vulnerabilities, etc.

Low risk:
Rewards: Shopping cards worth 100-500 yuan or gifts of the same value, including but not limited to:
1. General information leakage vulnerability. This includes but is not limited to path leakage, SVN file leakage, LOG file leakage,
    phpinfo, etc.
2. Vulnerabilities that cannot be exploited or difficult to exploit, including but not limited to reflective XSS.
Ignore:
This level includes:
1. Bugs that don't involve security issues. Including but not limited to product function defects, garbled pages, style mixing, etc.
2. Vulnerabilities that cannot be reproduced or other problems that cannot be directly reflected. This includes but is not limited to questions that are purely user-speculative
    Question.

General principles of scoring criteria:
1. The scoring criteria apply only to all UCloud products and services. Domain names include, but are not limited to, *.ucloud.cn, server
    Includes servers operated by UCloud, and the products are mobile products released by UCloud.
2. Bug rewards are limited to vulnerabilities submitted on the UCloud Security Response Center, not those submitted on other platforms
    Points.
3. Submitting vulnerabilities that have been disclosed on the Internet will not be scored.
4. Score for the earliest committer of the same vulnerability.
5. Multiple vulnerabilities from the same vulnerability source are recorded as only 1.
6. For the same link URL, if multiple parameters have similar vulnerabilities, the same link will be different according to one vulnerability credit
    type, the reward will be given according to the degree of harm.
7. For general-purpose vulnerabilities caused by mobile terminal systems, such as webkit uxss, code execution, etc., only the first is given
    Vulnerability reporter rewards will no longer be counted for the same vulnerability report of other products.

8. The final score of each vulnerability is determined by the comprehensive consideration of the vulnerability exploitability, the size of the harm and the scope of impact. It's possible
    Vulnerability points with low vulnerability levels are higher than vulnerabilities with high vulnerability levels.
9. White hats are requested to provide POC/exploit when reporting vulnerabilities and provide corresponding vulnerability analysis to speed up administrators
    Processing speed may be directly impacted for vulnerability submissions that are not provided by the POC or exploit or are not analyzed in detail
    Rewards.

Bonus Payment Process :
USRC staff negotiated with the white hats when and how the gifts would be distributed.
Dispute Resolution :
If the reporter has any objections to the vulnerability assessment or vulnerability scoring during the vulnerability handling process, contact the administrator in a timely manner
Communication. The UCloud Security Emergency Response Center will take precedence over the interests of vulnerability reporters and will do so if necessary
Introduce external authorities to jointly adjudicate.








Previous:js intercepts the last one. can be used to judge the IP segment range
Next:SQL Injection Book - ASP Injection Vulnerability Full Contact

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com