美的IoT安全应急响应中心 (MIoTSRC)

科技尽善,生活尽美

提交漏洞

MIoTSRC Vulnerability Rating Standard

MIoTSRC vulnerability rating standard


Serious safety issue


1. Obtain core system permissions directly. Vulnerabilities that can directly harm the intranet include but are not limited to: command execution, remote overflow and other vulnerabilities;


2. Vulnerabilities that can obtain a large number of users' core data;


3. Logic loopholes that directly lead to serious impacts. Related vulnerabilities include, but are not limited to: serious logic errors, vulnerabilities that can gain a lot of benefits and cause losses to the company and users.


High-risk security issues


1. Vulnerabilities in directly obtaining business server permissions. Including but not limited to arbitrary command execution, uploading webshell, arbitrary code execution;


2. Directly lead to serious information leakage vulnerabilities. Including but not limited to SQL injection vulnerabilities in core DB;


3. Logic loopholes that directly lead to serious impacts. Including but not limited to any account password change vulnerability;


4. Vulnerabilities that can directly steal user identity information in batches. Including but not limited to SQL injection;


5. Unauthorized access. Including but not limited to bypassing authentication and accessing the background.


Middle-risk safety issues


1. Vulnerabilities that require interaction to obtain user identity information. Including but not limited to stored XSS vulnerabilities;


2. Vulnerabilities in arbitrary text manipulation. Including but not limited to any file read, write, delete, download and other operations;


3. Unauthorized access. Including but not limited to bypassing restrictions to modify user information and perform user operations;


4. More serious information leakage vulnerabilities. Disclosure of files containing sensitive information (such as DB connection passwords).


Low-risk safety issues


Vulnerabilities that can cause a certain impact but cannot directly obtain device permissions and affect data security, such as: non-important information leakage, URL jumps, difficult-to-use XSS security vulnerabilities, and common CSRF vulnerabilities.



Remarks:


The above three levels of questions are not included


1. Bugs that do not involve security issues. Including but not limited to product function defects, webpage garbled, style confusion, static file directory traversal, application compatibility and other issues.


2. Vulnerabilities that cannot be exploited. CSRF without sensitive operations, meaningless abnormal information leakage, internal network IP address/domain name leakage.


3. It cannot directly reflect other problems of the vulnerability. Including but not limited to questions that are purely user guesses.