We welcome all of you outside CJ to give us feedback on the security vulnerabilities of CJ’s web to help us improve the security of our products and business. We also sincerely hope to establish fine cooperation with colleagues in the security industry. In order to facilitate the confirmation and quick repair of our security problems, we hope you can contact us via email (amking@cjdropshipping.co) when you find a vulnerability.

Rules for Issuing Bug Rewards:

1. High-Risk Vulnerabilities: $1000-10000

-Following conditions should be met:

a. This vulnerability is able to directly modify or control the CJ system.

b. This vulnerability is able to directly control CJ’s data.

c. This vulnerability is able to affect the normal operation of CJ web.

2. Medium-Risk Vulnerabilities: $500-5000

-Following conditions should be met:

a. This vulnerability is able to partially affect the function of CJ web.

b. This vulnerability is able to directly acquire CJ’s non-public data.

c. This vulnerability is able to affect the accuracy of CJ’s business data.

3. Low-Risk Vulnerabilities: $10-500

-Following conditions should be met:

a. This vulnerability is able to lead to CJ page deformation or partially affect page display.

b. This vulnerability is able to have an impact on CJ users.

Types that are not currently in the scope of vulnerability collection

a. XSS vulnerabilities are not included in the scope of collection.

b. Reflected XSS vulnerabilities and SELF-XSS vulnerabilities are not included in the scope of collection.

c. Event-type vulnerabilities (such as a cms of xx manufacturer, there is an official interface security problem, and the interface is on the official server).

d. Other vulnerabilities with very limited impact.

e. Vulnerabilities that can be detected by mainstream tools.

Vulnerability Submission Reporting Requirements

In order to be able to objectively evaluate each vulnerability and take into account the actual impact of the vulnerability, it is recommended that the white hats supplement the following key information based on the CVSS 3.0 standard, so as to avoid bias during the review process.

Utilization method: remote/local/physical

User interaction: no login required/login required/login required (open registration)

Permission requirements: ordinary user/function administrator/system administrator

Using the interface: http://example.com/XXXXXid=100&xxxxx

Vulnerability exploit point parameter: exploit the id in the URL of the interface

Vulnerability proof:

a. SQL Injection Vulnerabilities: Please supplement the proof of injection utilization, including user(), version(), or the output of the database(), and it is recommended to provide screenshots.

b. Command execution vulnerability: Please supplement the proof of command execution exploit, whoami the result of running the command output, it is recommended to provide a screenshot.

Payment Terms and Restrictions

The reward standard is based on the popularity of the application and the scope of the impact of the vulnerabilities;

If multiple white hats submit the same vulnerability on the CJ, only the first submitter will be rewarded in chronological order;

Multiple vulnerabilities generated by the same vulnerability source count as one vulnerability. For example, different interfaces under the same functional module; different parameters of the same file; the same parameter appears in different files; the same file is in different directories; the same vulnerability is exploited in different ways; different versions of the same vulnerability; the same function causes a vulnerability, etc.;

If a point can be fixed to make subsequent exploits infeasible, subsequent vulnerability submissions are considered duplicate vulnerabilities.

Illustrate: 

a. If the same global function is used for data processing in multiple interface programs, and this global data processing function is exploited to cause a vulnerability, then all such vulnerabilities are regarded as the same vulnerability.

b. Before the CJ platform fixes the vulnerability, the vulnerability will not be rewarded if it is disclosed on the Internet;

c. No rewards will be given for reporting vulnerabilities that have been made public online;

d. At any stage of vulnerability processing, if the vulnerability is found to be repeated or made public, the CJ platform has the right to reject the vulnerability and cancel the reward; for the behavior of maliciously submitting repeated vulnerabilities to defraud rewards, it will be warned or even banned from cooperation.

Precautions

1. Malicious reporters will be permanently prohibited from cooperation with us.

2. Questions not related to the report will not be responded.

3. CJ employees are not allowed to participate in or through their friends to participate in the Bug Bounty Program.

4. The bounty program is only available to users who report vulnerabilities through the email provided by the CJ platform

With any uncertainty, please turn to our online support.