The Security rules of Yardforce V1.0

Yardforce

Yardforce

@Yardforce

1. Security vulnerability grading standards

1.1 Yardforce's core business scope

Yardforce's core applications and businesses include:

  • Cloudhawk,Mowap,Revola intelligent platform
  • The application programs associated with Yardforce, as well as the server interfaces of the application programs
  • Wi Fi, BLE, LTE, Zigbee modules, and server interfaces for the modules

The ordinary applications and businesses of Yardforce refer to all Yardforce applications and businesses, except for the core applications and businesses.

1.2 Details of vulnerability reward scheme

The final evaluation criterion for vulnerabilities lies in the impact they have on the business itself. Comprehensively evaluate the impact of vulnerabilities on business based on factors such as whether they are core businesses, difficulty in exploiting vulnerabilities, harmfulness of vulnerabilities, scale of user impact, reproducibility, and ease of discovery. The same type of vulnerability with inconsistent impact on business is evaluated as different vulnerability levels. If there are vulnerabilities in ordinary applications that affect core applications, points will be calculated based on core business.

The types of vulnerabilities targeted include but are not limited to: web security vulnerabilities, mobile security vulnerabilities, business security vulnerabilities, smart device security vulnerabilities, etc. After Yardforce confirms the vulnerability, the vulnerability reporter will receive points, and the range of vulnerability reward points is as follows:

service levelSerious vulnerabilitiesHigh risk vulnerabilitiesMedium risk vulnerabilitiesLow risk vulnerabilities
Core business (scores)100-100060-12010-601-30
Ordinary business (scores)50-50030-605-301-5

1.3 Vulnerability level classification

[Serious vulnerabilities]

  1. Vulnerabilities in remote direct access to system permissions (server permissions, client permissions, smart devices), including but not limited to arbitrary code execution, arbitrary command execution, and upload exploitation of Webshell Trojans.
  2. There are logical design flaws in the core business system, including but not limited to serious vulnerabilities in the payment and transaction system, arbitrary account password modification without any protective restrictions, and arbitrary account login.
  3. Directly leading to serious information leakage vulnerabilities in online business systems, including but not limited to SQL injection vulnerabilities in core databases.
  4. Mobile end: Remote code execution vulnerability that directly affects a large number of users without interaction.
  5. Device side: remote access to device execution permissions in the Internet environment (such as tampering with camera video, unlocking the door, etc.), and no vulnerability in interactive remote command execution in the Internet environment.

[High risk vulnerabilities]

  1. Vulnerabilities that directly lead to sensitive information leakage on online servers, including but not limited to core system source code leakage, user account payment related information leakage, or server sensitive log file downloads.
  2. The vulnerability of ordinary business systems being able to use someone else's identity to perform all functional operations beyond their authority, while the vulnerability of core business systems being sensitive to unauthorized operations.
  3. Unauthorized access to the management platform and use of administrator functions, including but not limited to sensitive backend administrator account login; The activity level, user base, functional importance, and user information sensitivity of relevant platforms will all be used as high-risk vulnerability rating criteria.
  4. High risk information leakage vulnerabilities. It includes but is not limited to the disclosure of sensitive data that can be directly used, which can lead to the disclosure of a large number of user identity information (more than 1w for developers on the B side and more than 10w for APP users on the C side. ID number, mobile phone number, address, not less than two of these attributes).
  5. There is a fully echoing SSRF vulnerability that can access the Yardforce intranet.
  6. Mobile applications: Third party applications that cross application call the functions of mobile clients to complete high-risk operations (such as file read and write, SMS read and write, client's own data read and write, etc.), as well as high-risk sensitive information leakage.
  7. Device side: Obtaining device execution permissions (such as tampering with camera videos, opening door locks, etc.) in the near source or local area network, with no interactive remote command execution vulnerabilities in the near source or local area network.
  8. Device side: A vulnerability that remotely causes a permanent denial of service on the device. This includes but is not limited to permanent denial of service attacks initiated remotely on system devices (devices no longer usable: completely permanently damaged, or requiring the entire system to be rewritten), and the attacks do not allow physical contact with the devices, while the attacks require the ability to quickly replicate in batches.

[Medium risk vulnerabilities]

  1. Ordinary information leakage, including but not limited to plaintext storage passwords for mobile clients, downloading compressed source code packages containing sensitive information from servers or databases, etc.
  2. There are logical design flaws in the system, such as bypassing product postage, payment vulnerabilities, etc.
  3. Vulnerabilities caused by weak verification mechanism defects, including but not limited to brute force cracking of sensitive function verification codes, lack of verification codes in login interfaces, or brute force guessing of frequency control measures.
  4. SSRF vulnerability without echo.
  5. Vulnerabilities that require interaction to obtain user identity information, including but not limited to CSRF for sensitive operations, stored XSS, and JSONP hijacking for sensitive information.
  6. A remote denial of service vulnerability that can cause partial functionality of online applications to be unavailable (proof of impact on other users is required).
  7. Vulnerability that leads to denial of service on smart devices. For example, a system device is subjected to a permanent denial of service attack initiated locally (the device can no longer be used: completely permanent damage or the need to rewrite the entire operating system), a temporary denial of service attack vulnerability caused by a remote attack (remote suspension or restart), and the attack needs to be able to quickly replicate in batches.

[Low risk vulnerabilities]

  1. Vulnerabilities that can be exploited for phishing attacks, including but not limited to URL redirection vulnerabilities, reflective XSS vulnerabilities, etc.
  2. Low risk logic design defects.
  3. Minor information leakage vulnerabilities, including but not limited to. git file leaks and server business log content.
  4. Frequency control defects and vulnerabilities, including but not limited to SMS bombs and limited impact conditional competition vulnerabilities.
  5. Mobile end: Local denial of service (including but not limited to denial of service caused by third-party Android component permissions), minor information leakage, etc. (only affecting individual users).
  6. A vulnerability that causes temporary denial of service on the device. This includes but is not limited to temporary denial of service vulnerabilities caused by local attacks (devices need to be reset to factory settings).

[Neglecting issues]

  1. Bug related issues unrelated to security, including but not limited to slow webpage opening and cluttered styles.
  2. The submitted report is too simple to reproduce based on the content of the report, including but not limited to vulnerabilities that cannot be reproduced despite repeated communication with the vulnerability auditor.
  3. Unusable or harmless reports, including but not limited to prank CSRF (without actual impact on users), local denial of service that cannot affect others, Self XSS, PDF XSS, non sensitive information leakage (internal IP, domain name), email bombs, etc.
  4. No meaningful source code leakage.
  5. Security issues that occur in non Yardforce modules in hardware products, or problems caused by hardware defects themselves.
  6. Yardforce proactively discloses or has already disclosed security issues externally.
  7. Products, apps, or modules that are no longer maintained.
  8. Yardforce is able to self verify known internal vulnerabilities.
  9. Common protocol vulnerabilities such as WIFI, MQTT, BLE, and Zigbee.
  10. Denial of service caused by third-party Android component permissions.

2. General principles of vulnerability rewards

2.1 Repeated vulnerability handling plan

a. Different reporters submit the same vulnerability: Based on the time of vulnerability submission, the first researcher who submits the vulnerability is rewarded, and subsequent submissions are recorded as ignored. b. Web security vulnerabilities and data security vulnerabilities: If the same vulnerability is reported again within 90 days, ignore the handling; 90 days ago, for the same vulnerability, report it again and handle it as a new vulnerability. c. Mobile client security vulnerability: If the same vulnerability is reported again within 90 days, it will be ignored and dealt with; 90 days ago, the same vulnerability will be reported again and handled as a new vulnerability. If Yardforce releases the latest version with a security solution and fixes it, the vulnerability will be ignored. However, if the fix proves that it can be bypassed, it will be treated as a new vulnerability. d. Smart device security vulnerability: If the same vulnerability occurs within 180 days, it should be reported again and ignored for handling; 180 days away, the same vulnerability will be reported again and handled as a new vulnerability. When reporting again, if Yardforce has released the latest device firmware version with a security plan and fixed it, the vulnerability will be ignored. However, if the repair plan confirms that it can be bypassed, it will be treated as a new vulnerability. e. The vulnerability submitted to third-party vulnerability platforms also applies to the handling method of duplicate submission vulnerabilities. The time is based on the time when Yardforce received the vulnerability.

2.2 Multiple vulnerabilities from the same vulnerability source are only counted as one.

The following situations are also treated as the same vulnerability source, that is, multiple vulnerabilities are treated as one. If the problem has been submitted for repair but still exists in other locations, it will be re scored. a. Multiple information leaks caused by debugging enabled or error echo not closed on the same site. b. Multiple directories on the same site may have directory browsing or multiple leaks of the same information. c. For the same link URL, the same injection point, the same mechanism of payload, or different injection points with similar functions, it is considered a vulnerability. d. Universal software vulnerabilities, when multiple occurrences occur, if combined and submitted, the level of vulnerability harm can be elevated; If submitted separately, only one submission will be accepted, and the rest will be ignored. e. The unauthorized vulnerability of multiple different interfaces under the same functional module is recorded as one vulnerability.

2.3 For denial of service vulnerabilities, such as only providing some debugging information for the fuzzy program in the report and not being able to provide specific problematic functions, they are all low-risk.

2.4 For vulnerabilities that do not appear in the scoring criteria, score them based on the vulnerability closest to the corresponding hazard.

2.5 Submit online information about Yardforce's publicly disclosed security threats, and ignore them all.

3. Security update cycle instructions

3.1 Software security updates

  • For serious or high-risk vulnerabilities, we usually complete the repair and release within one month;
  • For vulnerabilities of other levels, we will release them along with some functional iterations, usually at the end of each quarter (i.e. every three months); The above updates may change with the release of new products and the end of the product maintenance period;

3.2 Security Update Statement

Yardforce attaches great importance to security issues, and we will make every effort to provide the latest security patches for your smart devices or software. However, there are several factors that may affect the actual time you receive security updates.

  1. Regular maintenance versions or operating system upgrade versions have a longer delivery cycle, which may result in delayed security updates.
  2. Security updates are pushed in batches. If you have not yet received the security update version, please be patient.
  3. Some patches require a longer testing time and may not be included in the security update for the current month. Once the patches are ready for delivery, they will be included in the upcoming security updates. Although Yardforce promises to provide security patch updates for smart devices, please note that the delivery time of security patches may vary by region and model.

4. Reward distribution

After confirming the vulnerability, Yardforce will reward the vulnerability submitters with points (rewards will be issued at the beginning of each quarter). The points obtained will be evaluated by the internal team of Yardforce based on the vulnerability reward standards for the severity and severity of the vulnerability business, and the corresponding weights will be determined to calculate the final points.

5. Response processing time

  1. Within five working days, the staff of Yardforce Security Emergency Response Center will confirm the received vulnerability report and follow up to evaluate the issue.
  2. Serious vulnerabilities (such as RCE) should be followed up and addressed within 24 hours, with preliminary conclusions and ratings provided.
  3. Follow up and address high-risk vulnerabilities within 3 working days, and provide preliminary conclusions and ratings.
  4. Follow up on the remaining vulnerabilities within 7 working days and complete the rating. If the reporter deems it to be an emergency situation, they can send an email to sumechardware@gmail.com. Urgent processing will be carried out after confirmation by the auditors.
See all posts