We value cybersecurity and are committed to continuously strengthening the protection of our websites. If you are a security researcher and discover a potential vulnerability on our site, we sincerely invite you to report it — eligible reports will be rewarded.

 

 

Scope of the Program

This bug bounty program applies only to the following domains:

http://www.uumax.com.cn

 

Reports are limited to public pages and functionality belonging to the websites listed above. Do not test company internal systems, third-party services, or non-public endpoints.

 

AUO reserves the right to modify this list at any time without prior notice.

 

 

Eligibility Criteria

To ensure legality and simplify verification, this program only accepts participants who are citizens of the Republic of China (Taiwan) and at least 18 years old.

 

Participants must provide valid identification when submitting a report for identity verification and subsequent reward disbursement.

 

Acceptable Vulnerability Types (including but not limited to):

 

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication bypass
  • Privilege escalation
  • Server-side programming errors (e.g., remote code execution, SQL injection)
  • Sensitive data exposure (e.g., unauthorized access to personal data or configuration files)

 

 

Items Not Eligible for Rewards

To focus on website security itself, the following items will not be eligible for rewards:

 

  • Low-risk information discovered by automated tooling
  • Clickjacking
  • Missing HTTP headers (e.g., CSP, HSTS)
  • Publicly available information such as whois data or metadata
  • Denial-of-service testing (e.g., DoS attacks)
  • Social engineering or phishing
  • Zero-day vulnerabilities or attacks disclosed publicly within the past 90 days
  • Vulnerability scan reports that do not detail the security impact
  • Theoretical risks without a concrete proof-of-concept (PoC)

 

 

Reporting Priority Rule

If two or more participants discover and report the same vulnerability concurrently, the reward will be granted to the person who submitted the first complete report. Subsequent reporters are appreciated but will not receive an additional reward.

 

 

Responsible Disclosure Policy

We encourage responsible disclosure. Participants must adhere to the following principles:

 

  • Do not exploit or publicly disclose vulnerability details.
  • Do not disrupt services or affect other users.
  • Perform only non-intrusive testing.
  • Stop testing immediately once a vulnerability is found and submit a report.

 

Reported vulnerability information must not be publicly disclosed in any form (including but not limited to social media, forums, or other public platforms) without our explicit written permission.

 

 

Reporting Process

Please submit your findings to us using the following method:

 

  • Email address: bugbounty@uumax.com.cn
  • Report content must include:
    • Date and time of discovery
    • Affected page URL(s)
    • Detailed description of the vulnerability and reproduction steps
    • Tools and sample data used during testing (if any)

 

 

Reward Mechanism

Reward amounts will be assessed based on the severity and impact of the vulnerability, as follows:

 

Risk Level

Reward Amount (New Taiwan Dollars)

Low

1,000 – 3,000

Medium

3,000 – 10,000

High

10,000 – 30,000

We reserve the right to the final interpretation and issuance of reward amounts.