iQiyi Security Incident Response Center Vulnerability Handling Policy (Version 3.0)

Version : V3.0 (effective from 2021‑01‑01).

Scope : This policy applies to all security vulnerabilities reported to the iQiyi Security Emergency Response Center (71SRC) for any iQiyi product or service, including core, general, edge, and partner business lines.

Basic Principles : iQiyi is committed to (1) assigning dedicated staff to follow up on every report, (2) rewarding responsible disclosure, (3) condemning any malicious exploitation of vulnerabilities, and (4) providing timely feedback via the designated email ([email protected]).

Vulnerability Handling Process : Submit the vulnerability at https://security.iqiyi.com/#submit . After submission the ticket status is Unreviewed . 71SRC reviews the report. If the vulnerability is valid, the status changes to Fixing ; if it is duplicate, ignored, or has no impact, the status changes to Closed after communication. Reporters may ask questions via ticket comments or by emailing [email protected]. When the fix is confirmed, the ticket status is updated to Closed . If the issue re‑appears after closure, a new report may be filed as a new ticket.

Scoring Standards : Vulnerabilities are graded by severity (Critical, High, Medium, Low, Ignore) and by business tier (Core, General, Edge, Partner). The table below shows the score ranges (in points) for each combination. For example, a Critical vulnerability in a Core business receives 300‑600 points, while the same severity in a Partner business is downgraded to High (100‑300 points). Detailed descriptions of each severity level are provided, ranging from large‑scale data leaks and remote code execution (Critical) to minor information disclosure and non‑impactful issues (Ignore).

General and Special Scoring Rules : SSRF vulnerabilities receive 60–500 gold coins depending on impact. All reflected XSS on iQiyi domains earn 20 gold coins; stored XSS earns 90 gold coins. SMS‑bombing attempts are ignored. Minor CSRF actions (e.g., canceling a follow) are ignored. Multiple parameters with the same vulnerability in one interface are encouraged to be submitted together, with possible reward upgrades. The first reporter receives points; subsequent duplicate submissions are marked as duplicates. Public disclosure without written permission from 71SRC is prohibited. Reports must include clear impact description, PoC, and evidence of harm. Partner‑related business vulnerabilities are downgraded regardless of severity. Multiple issues caused by the same root cause count as a single vulnerability. Common third‑party component vulnerabilities (e.g., WordPress, Flash) award points only to the first reporter. Re‑opened bugs after closure are treated as new submissions. Previously public or already reported bugs receive no points. Social engineering to obtain data is prohibited and may incur liability. All interpretation rights belong to 71SRC.

Dispute Resolution : If a reporter disagrees with the handling process, severity rating, or scoring, they may email [email protected] for a dedicated review.

Reward Distribution Principles : Rewards are issued as virtual gold coins (1 gold = 3 RMB) redeemable for gifts at https://security.iqiyi.com/#gifts . Coins accumulate across multiple reports; unused coins do not expire. Virtual gifts are sent on the last working day of each week after communication with the reporter. Physical gifts are mailed on the same schedule, with tracking numbers updated on the SRC platform. Delays caused by incomplete reporter information shift the delivery to the following week. iQiyi is not responsible for loss or damage caused by the reporter’s negligence; otherwise, 71SRC assumes responsibility.

User Level System : Registrants earn points (gold coins) that place them into eight levels: Intern Security Researcher (1‑20), Security Researcher (20‑50), Senior Security Researcher (50‑100), Veteran Security Researcher (100‑200), Security Expert (200‑300), Senior Security Expert (300‑500), Veteran Security Expert (500‑800), and Security Scientist (800+). Non‑registered users can submit bugs anonymously; these submissions are stored but do not earn points.

Important Notices : Malicious submitters will have their accounts closed and points cleared. Irrelevant questions may be ignored by iQiyi. iQiyi employees may not participate directly or through relatives/friends. Feedback on this document should be sent to [email protected]. iQiyi reserves final interpretation rights; any changes will be reflected on official pages.

Source: iQiyi Security Emergency Response Center (71SRC).