How to report a security vulnerability issue
If you have a security vulnerability issue with a Nothing product or application, please send an e-mail to g_feedback@nothing.tech.
Use the public PGP key to encrypt email with sensitive information and to verify that security communications sent by Nothing are genuine.
Active Date: July 4, 2022
Expiration Date: N/A
Key ID: 0xA785B8AA
Key Type: RSA
Key Size: 4096/4096
Fingerprint: 96A4 6E60 11B0 32D9 8D54 B384 F6EF CEC6 A785 B8AA
User ID: g_feedback@nothing.tech
In your email, please provide the following information:
Please detail the process of discovering the issue and its impact. Please also include any relevant code source documents, screenshots or videos. If you used debugging tools during the vulnerability exploitation process, please upload them as attachments. If the tools are too large, please provide a download link. Additionally, please provide the vulnerability proof of concept or exploit.
Note: failure to meet these requirements may result in your report not passing the review process.
Once we receive your vulnerability report, we will complete the verification process within 30 working days and reply to your vulnerability email with the results. Please continue to monitor your email for updates.
g_feedback@nothing.tech only collects security vulnerabilities related to Nothing products. If you have other product related issues, you can reach us via our contact us page.
Vulnerability rewards
Critical
$1000 - $2000
Disclosure of sensitive information, unauthorised access to core systems or large amounts of sensitive information, ultra vires on sensitive operations.
High
$500 - $1000
Vulnerabilities that directly obtain permissions, lead to leakage of sensitive information, and steal internal user information.
Medium
$100 - $500
Vulnerabilities that require interaction to obtain permissions, lead to serious information leakage, and steal internal user information.
Low
$20 - $100
Only in a specific environment can access permissions lead to information leakage, theft of internal user information vulnerabilities.
If the store coupon is not available in your region, we will convert it into other rewards on a pro-rata basis.
Terms and conditions apply to all vouchers. Voucher amounts and types are at Nothing's sole discretion.
Notice:
The following situations will not be rewarded:
Rewards will be downgraded or cancelled in the following situations:
For the same URL, if there are similar vulnerabilities in multiple parameters, rewards will be given according to one vulnerability, and rewards will be given according to the greatest degree of harm for different types.
Multiple vulnerabilities generated by the same source are counted as a single vulnerability. For example, multiple security bugs caused by the same JS, multiple page security bugs caused by the same publishing system, whole station security bugs caused by frameworks, multiple security bugs generated by domain name resolution, etc.
If you submit multiple vulnerabilities in the same report, we will reward you with the highest damage level vulnerability.
When submitting a vulnerability, please confirm whether it will have a real impact on the business and submit proof of actual harm. Indirect harm or speculative harm will not be considered when grading.
Reward Distribution Cycle:We will distribute rewards within 30 working days upon completing the verification of the vulnerability via email(?). Please check your reward status promptly.
Personal Information InvolvedTo receive the reward, you need to provide your NOTHING.tech account or other account information. However, we will not request any additional personal information during the vulnerability submission process. We will only require your registered email address for communication and your registered account information for the reward issuance.
We will access, process, and share your personal information in accordance with our Privacy Policy. By participating , you agree to the access, use, and sharing of your personal information as described above and in our Privacy Policy. If you have any questions regarding this Privacy Policy or its implementation, here is how you can reach us: Email Address: privacy@nothing.tech