Program Scope
Our security bounty program only accepts security vulnerabilities in IEI products and services. Out-of-scope vulnerabilities will not be eligible for a reward, with exceptions made for out-of-scope reports of critical vulnerabilities depending on the situation.
System Software
IEI-developed system software: system software designed and developed by IEI and integrated into IEI products.
IEI Official Website
IEI official website, excluding third-party and open-source software.
How to Report Security Issues and Vulnerabilities
Use the below PGP encryption public key to encrypt your email and send it to security@ieiworld.com, IEI PSIRT will contact you as soon as possible.
Suggested Format for Vulnerability Report
System Software
IEI Official Website
PGP Encryption Key
Reward Qualifications
You must be the first researcher to report the vulnerabilities.
You must not have publicly shared any files and/or details related to the vulnerability. This includes uploads to any publicly-accessible websites.
The reported vulnerability is confirmed to be verifiable, replicable, and a valid security issue by the IEI PSIRT team.
You agree to all the terms and conditions of the Security Bounty Program.
The reward amount is subject to adjustment,depending on:
- Follow the suggested vulnerability reporting format: Please provide the necessary and sufficient information for the vulnerability report. Suggested formats include: System software format example and IEI official website format example.
- Steps to Reproduce: Illustrate your steps to reproduce the vulnerabilities.
- Problem Descriptions: Clearly and concisely present your troubleshooting and approach.
- Other Supporting Information: Include testing code, scripts, and anything else required for your explanation.
- Raw Data of Attacks (exploit payload): A report in text form is required for ensuring data integrity. Vulnerability assessments can fall short of IEI PSIRT's expectations when network payloads were provided in images only.
- 1
How is the bounty reward determined?
The reward is determined by the Reward Committee, composed of IEI PSIRT members, based on the complexity of exploiting the vulnerability and the severity of the security vulnerability, including the percentage of affected users and systems.
- 2
Can I submit a video as proof-of-concept?
If videos make it easier for us to understand how vulnerabilities are exploited, the IEI Award Committee may increase the reward as a result. Please note that written documentation must still be provided (e.g., product information, vulnerability summary, and steps to reproduce) as it helps in managing the vulnerability disclosure process.
- 3
What information must be included in a vulnerability report?
A vulnerability report must include at least the following information: the product name, version, and build number where the vulnerability exists, or the URL location for cloud services. It should also include a summary of the potential threats posed by the vulnerability, along with clear and detailed replication steps. Additionally, the report may be accompanied by a video demonstrating the vulnerability.
- 4
How do I know if my submission has been received by IEI?
Please use the PGP Key provided by IEI to encrypt the report and send it to security@ieiworld.com. The system will automatically respond with a technical support number, which you can use to inquire about the review progress. The IEI PSIRT team will proactively contact the researcher to verify the completeness of the submitted information. If all the required information has been provided, the researcher will receive an IEI PSIRT vulnerability confirmation letter within one week. The award proposal will be communicated via email four weeks after the date of the vulnerability confirmation letter. If the researcher agrees, IEI will make the payment 12 weeks after receiving the confirmation response.