Implementation date: March 23, 2023

Basic principle

SHAREit looks forward to collect vulnerabilities from users and white hats to keep our business and customers secure. 

SHAREIt supports responsible vulnerability disclosure and processing. We promise to give bounty to every user who abides by the spirit of white hat, protects the interest of users and helps SHAREit improve the security quality. 

SHAREit may need the help of the white hats when evaluating the vulnerability, and also need the white hats' assistance to reproduce the problem together in order to solve the problem effectively.

SHAREit hopes to establish great interaction with white hats and security researchers through this platform. The development of the security industry cannot be separated from the common cooperation of all parties, and we sincerely wish white hats, security organizations and security researchers to join SHAREit's security ecology and protect the network security.

Warm Reminder: All vulnerability submissions must meet the above basic principles. Once the above regulations are violated, the vulnerability will no longer be counted in the scope of the rewards. In addition, SHAREit keeps the right to pursue legal responsibility for violations of vulnerability disclosure.

Scope of Assets 

The bounty policy applies to:

• The latest versions of apps in the Google Play, including SHAREit, SHAREit Lite and other related apps.
• Related websites built by SHAREit.
• Do not accept vulnerabilities for products that are scheduled to be removed from the market within three months.

Rewards

The risk of security and privacy vulnerability can be divided into four levels according to its harm: critical, high, medium and low.

Web vulnerability

APP vulnerability

Privacy vulnerability

Threat intelligence

General Rules for Rewards

The "known vulnerability", which is the company or past white hat had already reported. For those vulnerabilities that have been discovered and are being processed internally will be ignored, SHAREit SRC will not ignore the vulnerabilities without any reasons and will provide relevant evidence.

Multiple vulnerabilities of the same type exist under the same application: for each additional vulnerability, the reward will increase 0.3 times, with no more than twice of the reward; if the vulnerabilities are all caused by the same problem, when fixing one vulnerability and the others will also be automatically fixed, then only confirm the first vulnerability, such as the same filter function leads to XSS bypass or framework layer vulnerability, etc..

If multiple business issues (including PC and mobile) caused by the same component, then only one vulnerability will be confirmed. For example, multiple APP vulnerabilities caused by the same third-party SDK/third-party library.

The final reward of the vulnerability is determined by several factors, for instance the difficulty of utilization and the scope of impact, if the vulnerability trigger conditions are pretty hard, it will be downgraded.

Report requirements and special circumstances

If the same vulnerability is submitted to SHAREIt SRC, only the first reporter will be rewarded.

In the report, the title of the vulnerability should clearly state the location of the vulnerability (domain name or specific function), the type of vulnerability and other related information.

The report needs to accurately describe the principle of vulnerability, vulnerability location, exploitation conditions, testing steps (PoC & EXP), impact range, repair suggestions, etc., and provide screenshots of key steps, screenshots of successful exploitation, video, etc..

The APP vulnerability needs to provide the problematic client, version number, special channels to download the package. Please indicate the source of download and provide accurate location of the vulnerability code, including package name, class name, key section of the code description. If the vulnerability is non-code type, but is the business operation-related vulnerabilities, please clearly state the functional entry.

According to the above principles, reports that do not provide complete vulnerability details will not be rewarded.

After receiving the report, we will reply through email within 2 working days, and then we will review the report and give the result within 5-10 working days.

At the same time, please do not disclose and disseminate the details of the vulnerability before it is fixed.

Payment

SHAREit SRC only pay cash. Cash payments will be made by bank transfer or Paypal through SHAREIt's account.

SHAREit SRC will conduct reward settlement for all effective vulnerabilities in the middle of each month, and pay cash within 30 days. If that period is legal holiday, the settlement time and the reward payment time will be postponed.

There are several ways for white hat experts to choose for receiving the reward and some information should be provided.

-Bank Transfer: Beneficiary Name、 Bank Name、Account Number、Nation、Address、SWIFT Code、IFSC、IBAN、Inter bank No.

-Paypal Transfer: Account Number、Name、Nation、paypal payment link.

-Other reward options equal the same amount of cash.

Payment time may be affected by currency type, holiday, bank location and other factors, Thanks a lot for your understanding. Please provide correct personal information for the payment of reward. We promise that all PII is only used for reward payment purpose, and the security level is the same as SHAREIt customers PII.

Attention

Any objection to the vulnerability processing, please send an email to sec@ushareit.com.

SHAREit opposes and condemns all hacker acts that take vulnerability test as excuse to exploit security vulnerabilities to damage the interests of customers. We will investigate the legal responsibility for the above-mentioned activities.

SHAREit employees (including formal employees and outsourcing employees) cannot participate in the bounty.

The SHAREit SRC has the final right to interpret all the above terms.