We value cybersecurity and are committed to continuously strengthening the protection of our websites. If you are a security researcher and discover a potential vulnerability on our site, we sincerely invite you to report it — eligible reports will be rewarded.
|
Scope of the Program |
This bug bounty program applies only to the following domains:
Reports are limited to public pages and functionality belonging to the websites listed above. Do not test company internal systems, third-party services, or non-public endpoints.
AUO reserves the right to modify this list at any time without prior notice.
|
Eligibility Criteria |
To ensure legality and simplify verification, this program only accepts participants who are citizens of the Republic of China (Taiwan) and at least 18 years old.
Participants must provide valid identification when submitting a report for identity verification and subsequent reward disbursement.
Acceptable Vulnerability Types (including but not limited to):
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Authentication bypass
- Privilege escalation
- Server-side programming errors (e.g., remote code execution, SQL injection)
- Sensitive data exposure (e.g., unauthorized access to personal data or configuration files)
|
Items Not Eligible for Rewards |
To focus on website security itself, the following items will not be eligible for rewards:
- Low-risk information discovered by automated tooling
- Clickjacking
- Missing HTTP headers (e.g., CSP, HSTS)
- Publicly available information such as whois data or metadata
- Denial-of-service testing (e.g., DoS attacks)
- Social engineering or phishing
- Zero-day vulnerabilities or attacks disclosed publicly within the past 90 days
- Vulnerability scan reports that do not detail the security impact
- Theoretical risks without a concrete proof-of-concept (PoC)
|
Reporting Priority Rule |
If two or more participants discover and report the same vulnerability concurrently, the reward will be granted to the person who submitted the first complete report. Subsequent reporters are appreciated but will not receive an additional reward.
|
Responsible Disclosure Policy |
We encourage responsible disclosure. Participants must adhere to the following principles:
- Do not exploit or publicly disclose vulnerability details.
- Do not disrupt services or affect other users.
- Perform only non-intrusive testing.
- Stop testing immediately once a vulnerability is found and submit a report.
Reported vulnerability information must not be publicly disclosed in any form (including but not limited to social media, forums, or other public platforms) without our explicit written permission.
|
Reporting Process |
Please submit your findings to us using the following method:
- Email address: bugbounty@zyxd19.com
- Report content must include:
- Date and time of discovery
- Affected page URL(s)
- Detailed description of the vulnerability and reproduction steps
- Tools and sample data used during testing (if any)
|
Reward Mechanism |
Reward amounts will be assessed based on the severity and impact of the vulnerability, as follows:
|
We reserve the right to the final interpretation and issuance of reward amounts.