VeSync IoT Bug Bounty Program (V1.1)

Terms and Conditions

Last updated: February 20, 2023

Vesync Corporation ("Vesync," "us," "we," or “our”) attaches great importance to product and service security issues. The purpose of the Vesync IoT Bug Bounty Program (the "Program") is to help us continuously improve the security of products and services through the cooperation with the colleagues of the security community. Our goal is to follow up, analyze, and deal with the vulnerabilities and exploitation techniques ("Vulnerabilities") submitted by the researcher (“you”) in a timely manner.

Terms and Conditions on Vesync IoT Bug Bounty Program ("Bounty Terms") are between you and Vesync. Before you participate in this Program, please read these Bounty Terms carefully and thoroughly. If you have any questions about the Bounty Terms, you can contact datasecurity@vesync.com by email. If you do not agree to these Bounty Terms or any part of the content, you should immediately stop participating in this Program. BY SUBMITTING ANY VULNERABILITIES TO Vesync OR OTHERWISE PARTICIPATING IN THE PROGRAM IN ANY MANNER, YOU AGREE AND ACCEPT THESE BOUNTY TERMS.

1. PROGRAM ELIGIBILITY

You ARE NOT eligible to participate in the Program if you meet ANY of the following criteria:

(a) You are under 18 years of age. If you are at least 18 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program;

(b) Your employer or organization does not allow you to participate in these types of programs. You are responsible for reviewing your employer's rules for participating in this Program. We disclaim any and all liability or responsibility for disputes arising between you and your employer related to this matter;

(c) You are currently an employee of Vesync or its subsidiaries and/or affiliates, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;

(d) Within the six months prior to providing us your Submission you were an employee of Vesync or its subsidiaries and/or affiliates;

(e) You currently (or within six months prior to providing to us your Submission) perform services for Vesync or its subsidiaries and/or affiliates in an external staff capacity that requires access to the Vesync Network, such as agency temporary worker, vendor employee, business guest, or contractor; or

(f) You are or were involved in any part of the development, administration, and/or execution of this Program.

(g) Participation in this Program will result in the violation of any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, common law, judgment, decree, other requirement, or rule of law of any federal, state, local, or foreign government or political subdivision thereof, or any arbitrator, court, or tribunal of competent jurisdiction.

(h) Your participation is for the purposes of perpetuating fraud, extortion, or other such criminal activities.

(i) There may be additional restrictions on your eligibility to participate in the Bug Bounty, depending upon your local laws.

2. AUTHORIZATION AND RESTRICTION

The Vulnerabilities that you collect through this Program are discovered within the test scope defined in Article 5 herein for research purposes. Provided that you agree and comply with the Bounty Terms, we authorize you to collect Vulnerabilities for the purpose of testing and evaluating system security without affecting the normal operation of the system, and without endangering the network security and privacy of the system and platform users.

3. GUARANTEE CLAUSE

For the Vulnerabilities submitted to us, you guarantee that: (i) the Vulnerabilities are collected, discovered, and researched through legitimate methods, tools, or channels, and we disclaim any and all liability or responsibility related to your submission and/or collection; (ii) you will not use technology or other means to disrupt the normal use of Vesync services or systems; (iii) during your participation in this Program, you will not use the convenience of participating in this Program to store, publish, or disseminate any information, data, and/or content that endangers network security or violates applicable laws, regulations, and/or policies.

4. CODE OF CONDUCT

By participating in the Program, you will follow these rules:

(a) Don't engage in any activity that exploits, harms, or threatens to harm children.

(b) Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).

(c) Don't engage in any activity that is false or misleading.

(d) Don't engage in any activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others). You will do no harm and will not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.

(e) Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others. You will avoid intentionally accessing the content of any communications, data, or information transiting or stored on a Vesync’s information system or systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists. An information system is set of information resources for collecting, processing, maintaining, using, sharing, disseminating of information.

(f) You will not exfiltrate any data under any circumstances.

(g) You will not intentionally compromise the intellectual property or other commercial or financial interests of any Vesync personnel or entities, or any third parties.

(h) You will not submit a high-volume of low-quality reports.

(i) Don’t engage in any activity that is illegal and/or criminal. 

(j) If during your research you are inadvertently exposed to information that the public is not authorized to access, you will effectively and permanently erase all identified information in your possession as directed by Vesync and report to Vesync that you have done so.

(k) If at any point you are uncertain whether to continue testing, please engage with our team.

If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.

5. ELIGIBLE PRODUCTS AND TECHNOLOGIES

The Vulnerabilities that you collect through this Program are discovered within the test scope defined as follows: (i) Vesync Application; (ii) IoT devices supported by Vesync Application, including outlets, switches, lighting, kitchen appliances, air purifiers, scales, trackers, etc.

Vesync, at its sole discretion, may reject any Vulnerability submitted that we determine does not meet these criteria above.

6. SUBMISSION PROCESS

If you believe you have identified a Vulnerability that meets the applicable requirements set forth in the Bounty Terms, you may submit it to Vesync through datasecurity@vesync.com. Each Vulnerability submitted to Vesync shall be a "Submission." In the initial email, specify the Vulnerability details, and specific product version numbers you used to validate your research.

7. SUBMISSION REQUIREMENTS

To be eligible for Bounty award consideration, please include as much of the following information as possible in your Submission, but include – at minimum – the following::

(a) An overview/summary of the reported Vulnerability and potential impact.

(b) How the Vulnerability can be exploited, the impact of the Vulnerability and the likelihood of a successful exploit.

(c) The affected equipment, product model, software version, and configuration;

(d) Attack tools, program codes, or other information to clearly demonstrate the exploitability of the Vulnerability so that Vesync can reproduce the issue.

Depending on the details of your Submission, Vesync may award a Bounty of varying scale. Well-written reports and functional exploits are more likely to result in Bounties. Those Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Bounties.

8. OUT-OF-SCOPE CIRCUMSTANCES

The following circumstances of Submission are out-of-scope in this Program:

(a) If multiple people submit the same bug and meet the Bounty Terms, only the first submitter will be rewarded (based on the time Vesync received the Submission), and other submitters will no longer be rewarded.

(b) Multiple Vulnerabilities will only be rewarded one time if they are (i) caused by the same Vulnerability source, or (ii) the same Vulnerability on multiple models.

(c) A Vulnerability that has been made public online before the Submission will not be rewarded, including but not limited to on websites, self-media, mail groups, public speeches, instant chat groups, etc.

(d) General Vulnerabilities, such as Vulnerabilities in third-party components and open-source middleware, which not only affect Vesync devices, but also affect other vendors' IoT devices, will be determined on a case by cases basis, at Vesync’s sole discretion.

(e) Submission based on illegally-obtained Vesync confidential information will not be allowed to participate in this Program.

(f) If software functional error causes the Program to crash, but there is no clear security impact or exploitation techniques, it will not be regarded as a Vulnerability.

(g) Vulnerabilities that require the user to operate the Application or device to cooperate and interact (such as triggering the network distribution, authorized login, etc.) will not be regarded as a Vulnerability.

(h) Those who publicly spread the Vulnerability before the Vulnerability is fixed, or use the security Vulnerability to engage in unauthorized and/or illegal activities, will result in immediate disqualification from the Program and ineligibility for receiving any Bounty Payments.

9. BOUNTY AWARD SCHEDULE

We will evaluate the Submissions on a case by case basis, and divide them into four levels: [critical], [high], [medium], and [low] according to the degree of damage. When determining the amount of Bounty award for eligible Submissions, we usually consider a series of factors, including but not limited to the quality of the report, the impact of potential Vulnerabilities, the type of Vulnerabilities, the complexity of exploit schemes and implementation, and whether to bypass the security measures, etc. The table below is a general guide to potential reward amounts, but actual rewards may vary based on the factors mentioned above.

Level Sample of the impact Award range (USD) / amount (guide)
Critical
  1. Bypass the authorization and remotely control any VeSync user’s IoT device through the Internet to perform arbitrary operations without the user’s interaction;
  2. Vulnerabilities that lead to the disclosure of a large number of users’ sensitive information;
  3. Bypass the internal system authorization and access to a large quantity of sensitive user data or execute arbitrary codes and commands;
  4. Permanent denial of service attacks without authorization result in the permanent failure of a large number of users’ IoT devices or services.
$3,000~$10,000
High
  1. Bypass the authorization and remotely control a large number of IoT devices through the Internet to perform arbitrary operations without users’ interaction;
  2. Bypass the authorization and control any user’s IoT device through the local area network to perform arbitrary operations without the user’s interaction;
  3. Vulnerabilities that lead to the disclosure of a small number of users’ sensitive information;
  4. Vulnerabilities that lead to the disclosure of a large number of users’ general information;
  5. Bypass the internal system authorization and access a large number of non-critical resources that are for internal employees only;
  6. Permanent denial of service attacks without authorization result in the permanent failure of a small number of users’ IoT devices or services.
$1,000~$3,000
Medium
  1. Bypass the authorization and control a small number of users’ IoT devices through the Internet to perform arbitrary operations with users’ interaction;
  2. Bypass the authorization and control a certain number of users’ IoT devices through the local area network to perform arbitrary operations without the user’s interaction;
  3. Vulnerabilities that lead to the disclosure of a small number of users’ general information;
  4. Bypass the internal system authorization and access a small number of non-critical resources that are for internal employees only;
  5. Temporary denial of service attacks without authorization result in temporary failure of a large number of users’ IoT devices or services.
$500~$1,000
Low
  1. Bypass the authorization and control a small number of users' IoT devices through the local area network to perform arbitrary operations with users’ interaction;
  2. Vulnerabilities that lead to the disclosure of a few users’ general information ;
  3. Bypass the authorization and perform operations that lead to abnormal user experience for a large number of users.
$100~$500

 10. BOUNTY AWARD PAYMENT

Bounty award arrangements under this Program, including but not limited to the timing, Bounty amount and form of payments, are at VeSync’s sole discretion and will be made on a case-by-case basis.

VeSync makes no representations and/or warranties regarding the tax consequences of the payments under this Program. Participants in this Program are solely responsible for any tax liability associated with Bounty award payments.

11. SUBMISSION LICENSE AND CONFIDENTIALITY

As a condition of participation in the Program, by providing any Submission to VeSync, you hereby:

(a) grant VeSync the following non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, trade shows, and screenshots of the Submission in press releases) in all media (now known or later developed);

(b) agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;

(c) understand and acknowledge that VeSync may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;

(d) understand that you are not guaranteed any compensation or credit for use of your Submission; and

(e) represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to VeSync.

Any information you receive or collect about VeSync or any VeSync user through the Program (“Confidential Information”) must be kept confidential and only used in connection with the Program. You may not use, disclose, or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the VeSync system, without VeSync’s prior written consent.

12. RESTRICTIONS ON DISCLOSURE

As a condition for participating in this Program, we require that Bounty Submissions remain confidential and cannot be disclosed to third parties and/or as part of paper reviews or conference submissions until VeSync notifies you that your Submission is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

13. PRIVACY

See the Privacy Notice on VeSync IoT Bug Bounty Program relating to the collection and use of your information in connection with the Program.

14. LEGAL

This Program does not grant authorization, permission, or otherwise allow express or implied access to VeSync information systems to any individual, group of individuals, consortium, partnership, or any other business or legal entity. You must otherwise comply with all applicable Federal, State, and local laws in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the program or the law. If you engage in any activities that are inconsistent with the terms and conditions of the program or the law, you will not be considered a researcher and may be subject to criminal penalties and civil liability. To the extent that any security research or Vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-VeSync entity (such as its affiliates and/or subsidiaries), that non-VeSync entity may independently determine whether to pursue legal action or remedies related to such activities.

VeSync may modify the terms and conditions or terminate the Program at any time.

Privacy Notice on VeSync IoT Bug Bounty Program

We respect and value your rights to privacy. However, you may be asked to provide particular information in order for us to proceed with the bounty payment. Information on what data are being collected, how we process personal data, and your rights as the data subject are described in the table below. This Notice forms part of the VeSync Privacy Policy (“General Privacy Policy”), which can be found at https://www.vesync.com/privacy-policy.

1. Controller/Business

VeSync Corporation
Building C, Suite A, Phase I of the Anaheim Concourse, 1202 N. Miller Street
Anaheim, California 92806, United States
US Toll Free Number: (833) 383-7962
E-mail: Privacy@vesync.com

2. Contact point for Legal Department privacy issues related to registry

The primary contact point is by email to Privacy@vesync.com. Non-electronic communication should be directed to the postal address above, addressed to the contact point.

If you have any questions about this Notice or need to access it in an alternative format due to having a disability, please contact Privacy@vesync.com and (833) 383-7962.

3. The purpose of processing personal data
  • Paying, tracking, and auditing vulnerability rewards related to the VeSync IoT Bug Bounty Program;
  • Enforcing Terms and Conditions and other contract-related activity of the VeSync IoT Bug Bounty Program; and/or
  • Informing the Tax Administration of vulnerability reward payments and compliance with law and other legal requirements
4. Registry contents

Data subjects are recipients of vulnerability reward payments (a "recipient", below) and are asked to provide the following information.

  • Name of the receipient
  • Postal address of the recipient
  • Depending on the recipient's financial institution and its location, either:
    • The International Bank Account Number (IBAN) and the Bank Identifier Code (BIC) of the recipient, or
    • IBAN (optional), BIC (optional), account holder name, account number, and bank branch details of the recipient
    • Other applicable payment information such as Paypal number
  • Personal or tax ID number or any other personal information according to the local tax or payment requirement
5. Legal grounds

We need to collect and process the above data to be able to perform our part of mutual contract created upon your participation to our Bug Bounty Program.

6. Regular sources of information

Data is provided by the recipient of the reward upon request.

7. Retention

We store the above data for 6 months, after which we will delete it, except where we are required to store information on outgoing payments.

8. Regular destinations of disclosed data
  • The financial instituion(s) that are used to perform the payment.
  • Tax Administration.
9. Description of the principles in accordance to which the data file has been secured

Please refer to the General Privacy Policy. We strongly suggest that the reward recipients send the information to us in an encrypted email.

10. Your rights

Please refer to the General Privacy Policy.

11. Changes

VeSync reserves the right to change this description of a file from time-to-time to comply with its legal obligations.

12. Effective Date

Sept. 30, 2021