# who awesome? reward analysis of major domestic emergency response centers

In recent months, I have experienced it on the platforms of several emergency response centers. According to my own situation, I would like to share with you the awards of major domestic emergency response centers. Only analyze the reward situation, with some brief introduction, and do not comment on it.

Analysis basis:

Analysis objectives: Tencent Security Emergency Center (TSRC), Netease security center, JD emergency response center (jsrc), baidu Security Response Center (BSRC)

1、 Tencent Security Emergency Center (TSRC)

Website: http://security.tencent.com

The first safety emergency response center in China has sound rules and humanization.

Highest

Market average price: (7788 + 7858 + 7959 + 7818 + 7999 + 7788 + 7886) / 7 = 7870.86

secondary

There are two routers in the middle. Because one of them is Tencent's customized router for security experts, it's not easy to calculate the price, so choose U disk:

Market average price: (285 + 355 + 369 + 286 + 299) / 5 = 318.8

minimum

There are also two lowest ones, among which the expression dolls seem to have no sale in the market, so they press QQ token:

Official price: 26

All three exchanges require (2100 + 60 + 3) = 2163 exchange currency, and the value of each exchange currency is: (7870.86 + 318.8 + 26) / 2163 = 3.80 (RMB)

Ps:

Because of the QQ of TSRC, there is also the exchange of q-coins. The exchange ratio is 20:100, and 20 exchange coins can be exchanged for 100 q-coins at the official price, i.e. 1:5 RMB.

In other words, the higher the vulnerability score, the higher the contribution currency. See: http://security.tencent.com/uploadimg_dir / other / tsrc.pdf

A typical web reflection XSS, with a medium rating and a basic score of 3 points, gets the exchange currency as required: 3 * 10 = 30, equivalent to 30 * 3.8 = 114rmb

A typical web storage XSS, with a medium rating and a basic score of 5 points, gets the exchange currency as required: 5 * 10 = 50, equivalent to 50 * 3.8 = 190 RMB

A web storage XSS with slightly greater harm has a high rating and a basic score of 6 points. According to the regulations, exchange currency is obtained: 6 * 30 = 180, equivalent to 180 * 3.8 = 684 RMB

Two clients with greater harm store XSS, with high rating and 14 scores. According to the regulations, exchange currency is obtained: 14 * 45 = 630, equivalent to 630 * 3.8 = 2390 RMB

A serious XSS vulnerability in the client. The rating is serious, and the score is 9 points. According to the regulations, the exchange currency is obtained: 9 * 90 = 810, equivalent to 810 * 3.8 = 3078 RMB

Thank you: Heige, rasca1, evi1m0 and myself (ranking in no order) provide vulnerability reward pictures.

2、 Netease Security Center

Website: http://aq.163.com

The second real security center (it's said that the second one is everyone, but I got rid of it. I don't know whether it's true or not =!). The gift exchange price in the center is preferential every month, so this analysis is only based on the exchange price in October 2013.

Highest

Because there is no detailed introduction, according to the image search, the model is likely to be: MacBook Pro me662ch / a 13.3 inch

Market average price: (11888 + 11888 + 11988 + 12488) / 4 = 12063

secondary

According to the exchange points, the median value is 49, among which there are 5 kinds of gifts that need 49, respectively:

The price of Netease customized air-conditioning blanket is easy to calculate. Take the sum of the other four official prices and divide by 4: (138 + 99 + 159 + 125) / 4 = 130.25

minimum

Official price: 2

All three exchanges require (4999 + 49 + 2) = 5050 exchange currency, and the value of each exchange currency is: (12063 + 130.25 + 2) / 5050 = 2.41 (RMB)

PS: Netease also has the general points exchange of Netease all in one card in its shopping mall. The exchange ratio is 19:500. 19 exchange currencies can exchange 500 points of general use points at the official price, i.e. 1:2.63rmb.

For the scoring rules of Netease security center, please refer to version 3.1 of Netease security center security report processing instructions

A common information leak with a low rating will get a score of 2 and a contribution currency of 2 * 1 = 2, i.e. 2 * 2.41 = 4.82rmb

A common reflective XSS with a low rating will get 3 points and a contribution currency of 3 * 3 = 9, i.e. 9 * 2.41 = 21.62rmb

An ordinary storage XSS, rated as medium, gets 5 points, and gets contribution currency as required: 5 * 3 = 15, that is, 9 * 2.41 = 36.15rmb

An ordinary storage XSS with a high rating will get 6 points and 6 contribution coins as required: 6 * 5 = 30, i.e. 30 * 2.41 = 72.3rmb

A special vulnerability that requires interaction to obtain the user account password. The main product has an extra coefficient of 3, with a high rating, and obtains a score of 12. According to the regulations, it obtains a score of 12 * 5 * 3 = 180, that is, 180 * 2.41 = 433.8rmb

Thanks: evi1m0 and myself (in no particular order) provide vulnerability reward pictures.

3、 JD emergency response center (jsrc)

Website: http://security.jd.com

The third largest emergency response center opened to the public in April 2013.

Highest

Market average price: (5048 + 5288 + 4378 + 4789 + 4599 + 4688) / 6 = 4798.33

secondary

Official price: 599

minimum

The lowest is four books, the exchange price is nine yuan. The average price is: (47.2 + 48.3 + 41.3 + 50.2) / 4 = 46.75

All three exchanges require (900 + 90 + 9) = 999 exchange currency, and the value of each exchange currency is (4798.33 + 599 + 46.75) / 999 = 5.45

PS: Jingdong emergency response center can also exchange the entity gift card of Jingdong Mall. The exchange ratio is 50:200. 50 exchange currencies can be exchanged for 200 gift cards at the official price of 1:4rmb. During the discount period, the exchange ratio is 33:200.

For the scoring rules of JD emergency response center, please refer to v1.0 description of vulnerability feedback processing process of JD security emergency response center. The score is exchange currency and no grade conversion is required.

An ordinary information leak with a low rating will get a score of 1, i.e. 1 * 5.45 = 5.45rmb

A typical reflective XSS, rated as medium, gets 3 points, i.e. 3 * 5.45 = 16.35rmb

A typical storage XSS, rated as medium, gets 6 points, i.e. 6 * 5.45 = 32.7rmb

A serious storage XSS with a high rating gets 8 points, i.e. 8 * 5.45 = 43.6rmb

A vulnerability of getshell, rated serious, obtained 9 points, i.e. 9 * 5.45 = 49.05rmb

A struts vulnerability, rated serious, obtained 9 points, i.e. 9 * 5.45 = 49.05rmb

Thanks: evi1m0, af.test and myself (in no particular order) provided vulnerability reward pictures.

4、 Baidu Security Response Center (BSRC)

Website: http://sec.baidu.com

Baidu Security Center opened to the public in June 2013.

Highest

Market average price: (5048 + 5288 + 4378 + 4789 + 4599 + 4688) / 6 = 4798.33

secondary

IPod:

Market average price: (359 + 359 + 368 + 379 + 399 + 399 + 329 + 330 + 399 + 300) / 10 = 362.1

minimum

USB drive:

TF:

Push up stand:

Market average price: (29.9 + 31.6 + 31.9 + 32.9 + 35 + 43 + 31.6 + 29.9 + 31.8 + 31.9 + 31.9 + 39.9 + 29 + 39 + 39 + 39 + 28 + 45) / 20 = 32.965

All three exchanges need (1200 + 100 + 15) = 1315 exchange currency, and the value of each exchange currency is: (4798.33 + 362.1 + 32.965) / 1315 = 3.95 (RMB)

For the scoring rules of Baidu security center, please refer to "details of vulnerability reward processing of Baidu Security Response Center v2.0", and the points are converted into currency instead of grade conversion.

A typical reflective XSS, rated as medium, gets 10 points, i.e. 10 * 3.95 = 39.5rmb

A typical storage XSS, rated as medium, gets 15 points, i.e. 15 * 3.95 = 59.25rmb

PS: in the dynamic of BSRC, scores are always given to more than 10 points, but less scores are given to more than 20 points, so just take a screenshot of these two typical ones,

Thank you: l4yn3. I (ranked in no order) provided vulnerability reward pictures.

summary

From the perspective of the value of exchange currency, the order of these platforms is as follows:

Jingdong emergency response center (5.45) > Baidu Security Response Center (3.95) > Tencent Security Emergency Center (3.8) > Netease Security Center (2.41)

From the perspective of typical reflection XSS, the order of these platforms is as follows:

Tencent Security Emergency Center (114) > Baidu Security Response Center (39.5) > Netease Security Center (21.62) > Jingdong emergency response center (16.35)

From the perspective of typical storage XSS, the order of these platforms is as follows:

Tencent Security Emergency Center (190) > Baidu Security Response Center (59.25) > Netease Security Center (36.15) > Jingdong emergency response center (32.7)

From the perspective of the highest value vulnerability (highest score), the order of these platforms is:

Tencent Security Emergency Center (web2280, client 3420, DZ! 6840) > Netease Security Center (1084.5) > Baidu Security Response Center (592.5) > JD emergency response center (54.5)

In fact, this sort of ranking is only under the premise of the same difficulty. In fact, the vulnerability acquisition difficulty of each company is very different. For example, some vulnerabilities of JD are easy to find. JD's vulnerability audit is more user-friendly, which makes its points easy to obtain. Seriously, 20 + points can be obtained in one day. Tencent and Baidu are relatively difficult, and it takes time and effort to find the loopholes. For example, Tencent does not charge some simple self XSS, while Baidu's points are very low (it may also be that no one submitted the high-risk loopholes). When the author wrote the manuscript, Baidu's points reward is as follows:

In addition, there are some inadequacies. The exchange rate of gifts on each platform is high or low, which leads to the actual points can not be exchanged or the gifts higher than the corresponding price. For example, Baidu's storage XSS, which is converted to 59.25rmb, can only be replaced by a TF card, with a value of 32.965rmb; Tencent's reflection XSS, which is converted to 114rmb, can be replaced by 10 tokens, with a value of 260rmb; comparatively speaking, the price of JD is the most stable, with a value of 1:5rmb.

If you are free, you can add up the total price of all products of each platform and divide it by the total required exchange currency. There must be a lot of gap between this sort of ranking and the reality, but in terms of data, it is indeed so. Let's have fun.

Welcome to continue to revise and supplement