The top award in the program is now $15,000 for “quality reports on eligible valid vulnerabilities” that are critical-rated, according to the program details – an increase from $5,000 previously. As for what’s eligible and valid, awards are available across Tencent’s products and services, as well on its carrier networks.
Attacks on ISP networks and services can take many forms. Tencent said that it’s mainly interested in bugs that enable: cross-site scripting (XSS); cross-site request forgery (CSRF); server-side request forgery (SSRF); SQL injection; remote code execution (RCE); XML external entity attacks (XXE); access control issues (insecure direct object reference issues, etc.); exposed administrative panels; directory traversal issues; local file disclosure (LFD); and data leakage/data breach/information disclosure issues.
“Any design or implementation issue that is reproducible and substantially affects the security of Tencent users is likely to be in scope for the program,” according to TSRC.
“Online security for our products and platforms is a top priority for Tencent,” said Juju Zhu, COO of TSRC, in a media statement. “While we develop and deploy advanced technologies to safeguard our platforms, we also collaborate with professional white hackers’ networks to help us enhance our security protection for our products and our users. We are the first company in China to set up a Security Response Center, and now by partnering with Hacker One, we expect to receive constructive research results from a larger, global community of security experts.”
According to HackerOne platform data in the 2019 Hacker-Powered Security Report, bug-bounty programs in the Asia-Pacific region have increased by 30 percent in 2019, thanks to new programs from Singapore’s Ministry of Defence (MINDEF) and Singapore’s Government Technology Agency (GovTech), Toyota, Nintendo, Grab, Alibaba, LINE, OPPO, OnePlus and others.