Released in September 2024

I. Basic Principles

1. ECOVACS Home Robots Co., Ltd. (hereinafter referred to as "ECOVACS") attaches great importance to the security of its products and services. We welcome external security experts to assist us in improving security by submitting vulnerability reports, so as to better protect users’ personal privacy and data security. We promise that every security report will be evaluated, analyzed and followed up by professional engineers, with timely feedback on processing progress.
2.  ECOVACS shall process received vulnerability reports in accordance with the standard workflow: Receive – Assess – Remediate – Release – Disclose, and maintain professional communication with the reporter.
3.  ECOVACS condemns any act conducted in the name of vulnerability testing that actually harms user interests or compromises the security of computer information systems, including but not limited to: using vulnerabilities to steal user privacy or virtual property, intruding into business systems, obtaining system or business data without authorization, exfiltrating user data, or maliciously disseminating vulnerabilities or data.
4. Without the explicit authorization of ECOVACS, discussing or disclosing relevant vulnerability details in any public venue or platform is prohibited. ECOVACS reserves the right to pursue legal liability for the aforementioned acts.
5. ECOVACS firmly believes that the proper handling of security vulnerabilities and industrial progress require joint efforts from all parties. We are committed to strengthening cooperation with enterprises, security companies and researchers in the industry to jointly safeguard the cybersecurity ecosystem.

II. Vulnerability Submission Process
[Vulnerability Submission]
 Vulnerability reporters may submit reports of discovered product security vulnerabilities through the ECOVACS Product Security Center.
[Vulnerability Review Phase]
 The ECOVACS Product Security Center will initiate the review and assessment as soon as confirmation of receipt has been made. If necessary, we will contact the reporter via the official email product-security@ecovacs.com to confirm details, and your assistance is appreciated.
[Vulnerability Handling Phase]
 Relevant business departments will arrange remediation work according to the vulnerability remediation priority standards. The remediation timeline depends on the severity and complexity of the vulnerability. For vulnerabilities restricted by version release cycles, the remediation timeline will be determined based on actual conditions. For vulnerabilities causing severe or major impacts, an emergency security announcement will be issued as appropriate. All remediation work shall comply with national laws and regulations. Upon completion of remediation, verification will be performed and the corresponding process will be closed.

III. General Vulnerability Scoring Rules

1. This standard applies only to ECOVACS products and services. Vulnerabilities unrelated to ECOVACS are not eligible for rewards.
2. Multiple vulnerabilities arising from the same root cause shall be counted as one valid vulnerability, including but not limited to issues caused by identical server configurations, global application framework functions, the same file template, or wildcard domain name resolution.
3. Vulnerabilities whose technical details (such as POCs) have been disclosed on any public channels prior to submission (including but not limited to websites, social media, mailing lists, public presentations, instant messaging groups, etc.) are not eligible for the reward program.
4. For identical vulnerabilities submitted by multiple researchers or by the same researcher repeatedly, only the first valid submission will be recognized. Due to relatively long remediation cycles for hardware, system and architecture-related vulnerabilities, the deadline for resubmission shall be based on the remediation completion time marked in internal security tickets.
5. Vulnerabilities affecting non-critical business systems may have their severity level downgraded appropriately based on the scope of impact. Conversely, vulnerabilities affecting critical business systems with a wide impact scope may have their severity level upgraded appropriately.
6. Any activities conducted under the pretext of security testing that actually harm user interests, disrupt business operations, prematurely disclose vulnerabilities, steal data or engage in similar misconduct shall result in no reward, and ECOVACS reserves the right to pursue legal liability.

IV. Detailed Security Vulnerability Scoring Criteria

Cloud Service Vulnerability Assessment Criteria

• Vulnerability Level: Critical
  • Direct acquisition of core system privileges (server-side privileges, client-side privileges), including but not limited to: Command Injection, Remote Command Execution, WebShell Upload, SQL Injection leading to system privilege escalation, remote kernel code execution vulnerabilities, and other remote code execution flaws caused by logical issues.
  • Severe logical design flaws, including but not limited to: unrestricted arbitrary account login, arbitrary account password reset, arbitrary account fund consumption, order traversal, and critical issues in transaction and payment systems within key business systems.
  • Severe information disclosure, including but not limited to: large-scale acquisition of sensitive multi-field data or substantial critical database information via SQL Injection, unauthorized interface access, and similar methods.
• Vulnerability Level: High
  • Vulnerabilities that directly lead to the disclosure of user identity information, including stored XSS on key pages and SQL injection on general websites.
  • Unauthorized access, including but not limited to bypassing authentication to directly access the admin backend, weak backend passwords involving important business or personal sensitive information, tampering with system front-end pages, etc.
  • High-risk information disclosure, including but not limited to leakage of source code compressed packages.
  • High-risk SSRF vulnerabilities that can probe the internal network, steal critical internal network information, or obtain privileges of internal network servers.
  • High-risk logical flaws, such as bypassing SMS/email verification codes in the authentication module and brute‑force attacks, leading to arbitrary user login or password reset.
• Vulnerability Level: Medium
  • Vulnerabilities requiring user interaction to obtain identity information, including but not limited to reflected XSS (including reflected DOM-XSS), exploitable CSRF capable of stealing sensitive user information or privileges, and stored XSS in ordinary business scenarios.
  • Ordinary information disclosure, including but not limited to leakage of compressed packages containing sensitive information such as database connection credentials.
  • Ordinary privilege escalation issues, including but not limited to insecure direct object references.
  • Ordinary logical flaws, including but not limited to SMS/email verification code bypass and brute‑force attacks in non‑authentication modules.
  • SQL injection vulnerabilities in non‑critical business systems with high exploitation difficulty.
  • Unauthorized access to non‑critical operation and maintenance management systems, test databases, etc., with no sensitive data or potential for further exploitation.
• Vulnerability Level: Low
  • Minor information disclosure, including but not limited to path disclosure, SVN information leakage, log file leakage, internal network account password disclosure, non-sensitive system source code and passwords leaked on GitHub, etc.
  • Hard-to-exploit but potentially risky issues, including but not limited to Self-XSS that may be propagated or exploited, file parsing vulnerabilities, plaintext password transmission over HTTP, invalid session retention after logout, etc.
  • Denial of Service vulnerabilities, such as those that can cause service interruption without excessive resource consumption.
• Vulnerability Level: Informational
  • Issues with no actual security impact, including but not limited to product function defects, page display issues, non-reproducible error messages that do not disclose sensitive information.
  • Non-exploitable or worthless vulnerabilities, including but not limited to directory traversal without sensitive information, 401 phishing, non-exploitable encoding flaws, non-hazardous Self-XSS, CSRF without sensitive operations, meaningless abnormal information disclosure / front-end source code leakage, scanner results without proven harm, non-sensitive JSON hijacking, bundled files containing only JS and IMG, regular logcat information, plaintext username transmission, iframe phishing, failure to implement SSL/TLS best security practices, etc.
  • Issues that cannot directly demonstrate a valid vulnerability, including but not limited to pure guesswork, test pages without sensitive information, SSRF that cannot obtain internal server information and only accesses DNS log, theoretically feasible but non-exploitable vulnerabilities, use of vulnerable components without direct exploitation, failure to adopt optimal security configurations, etc.
  • Non-critical client-side local denial of service vulnerabilities, including but not limited to denial of service caused by unvalidated component parameters; unauthorized access to general operation and maintenance systems with no available data; slowhttptest with no actual impact; DDoS attacks requiring significant resources; web man-in-the-middle hijacking. Scan results from third-party tools or online platforms cannot be directly taken as vulnerability proof. Submissions that fail to provide specific vulnerability description, verification method and harm, or merely report the use of HTTP instead of HTTPS, will not be recognized as security issues. Open ports alone without exploitation methods (such as open MySQL service) and non-reproducible vulnerabilities are also included.
  • Violations of security design principles without concrete exploitation methods, such as password policy issues, unsuccessful account password brute-force attempts, PDF XSS in static files, Baidu Maps AK leakage, non-impacting actuator endpoints such as Prometheus, concurrent likes, limited SMS bombing, etc.
  • Account issues in non-critical business systems with limited impact scope, including but not limited to username and phone number enumeration, zombie user registration, invalid image CAPTCHA, credential stuffing, password brute-force attacks, email/SMS bombing, and other vulnerabilities confirmed by ECOVACS as non-reproducible.

Device Vulnerability Assessment Criteria

• Vulnerability Leve: Critical
  • Vulnerabilities stemming from severe logical flaws that may result in substantial financial losses for users.
  • Vulnerabilities enabling non-interactive remote command execution, arbitrary code execution, or similar flaws that allow for remote device control and theft of private information stored on the device.
  • Vulnerabilities that remotely cause permanent denial of service (PDoS) to the device, including but not limited to complete device damage or the need to re-flash the entire operating system. Note: Proof-of-Concept (PoC) or Exploit (Exp) demonstrating the exploitability of the vulnerability must be provided.
• Vulnerability Leve: High
  • Unauthenticated or non-interactive command execution within the local area network.
  • Vulnerabilities that allow access to private information stored on the device under Internet environments.
    Note: Proof-of-Concept (PoC) or Exploit (Exp) demonstrating the exploitability of the vulnerability must be provided.
  • Vulnerabilities that allow remote acquisition of non-privileged system access, including but not limited to remote command execution and arbitrary code execution.
  • Vulnerabilities causing device denial of service, including but not limited to local permanent denial of service (resulting in permanent device damage or full OS re-flashing), and temporary denial of service caused by remote attacks (remote hang or reboot).
  • Remote unauthorized operation vulnerabilities, including but not limited to remotely bypassing user authorization to perform sensitive operations.
• Vulnerability Leve: Medium
  • High‑impact vulnerabilities that can only be triggered under highly restrictive conditions.
  • Vulnerabilities causing temporary device denial of service, including but not limited to temporary denial of service resulting from local attacks.
  • Privilege bypass vulnerabilities, including but not limited to in‑depth bypass of user‑level protection functions, or bypass of device protection mechanisms via mitigation techniques exploited in privileged processes.
  • Local unauthorized operation vulnerabilities, including but not limited to local bypass of user authorization to perform sensitive operations.
  • Remote unauthorized access to non‑sensitive controlled data.
• Vulnerability Leve: Low
  • Insecure configurations (issues that are difficult to exploit or have minimal impact will be classified as Informational; see the definition for details). Low-risk information disclosure vulnerabilities that only result in information leakage or pose minor security risks. Denial of service within the local area network, or denial of service that requires user interaction to be exploited.
  • Local privilege bypass vulnerabilities, including but not limited to bypassing user-level protection functions, exploiting vulnerabilities in mitigation techniques within non-privileged processes, or accessing non-sensitive controlled user data.
  • Local unauthorized operation vulnerabilities, including but not limited to vulnerabilities that allow invoking hidden system functions without user interaction, causing actual inconvenience or loss to users.
• Vulnerability Leve: Informational
  • Device firmware is not effectively encrypted, but no more severe vulnerabilities can be reversed from the firmware.
  • Device debug interface is enabled but no shell can be obtained.
  • Firmware is downloaded via HTTP, but the firmware includes integrity and source authentication.
  • Local DDoS attacks against the user’s own device.
  • End-of-life (EOL) devices (except for Critical vulnerabilities).
  • Denial of service caused by channel occupation or temporary denial of service.
  • Low-impact denial of service: software functional errors with no security impact, application-level crashes, simple prompt pop-ups, temporary Framework restart.
  • Storage of sensitive information inaccessible to regular permission apps; log data, system test data, etc., with no actual impact on users.
  • User data stored unencrypted on external storage (excluding APP logs containing sensitive information and data promised to be encrypted).
  • APP lacks code obfuscation, APK can be repackaged, APP contains hard-coded or recoverable non-critical information keys, APP lacks binary protection controls.
  • Attacks that require physical access and breach of device hardware integrity.
  • Attacks launched in developer mode (high-impact issues such as privilege escalation may be evaluated separately).
  • Open-source and third-party vulnerabilities that also affect other industry devices (high-impact vulnerabilities to the device may be evaluated separately).
  • Vulnerabilities that require certain permissions to be successfully exploited and cause impact, where such permissions alone could achieve the same effect.
  • Reports only indicating potential vulnerabilities without exploitation methods, scanner results without proven actual harm, and vulnerability reports based on illegally obtained confidential information.

V. Dispute Resolution
        During the vulnerability handling process, if the reporter has objections to the handling procedure, vulnerability assessment, or severity rating result, they may submit feedback via email to product-security@ecovacs.com.
Please mark the email subject with [ECOVACS Vulnerability Handling Objection].
We will prioritize such feedback and process it in accordance with the principle of respecting the rights and interests of the reporter. If necessary, external security experts may be engaged for joint determination.
[Reward Notice]
ECOVACS may provide special rewards from time to time to security experts who submit high-quality vulnerabilities or participate actively.
ECOVACS shall not be liable if rewards fail to be delivered due to incorrect information provided by the reporter, issues caused by the courier company, or events of force majeure.