Bug Bounty Program

FJDynamics fully recognizes that relying solely on an internal security team makes it difficult to comprehensively address all potential risks. Security researchers and the broader security community are vital forces in identifying and remediating security vulnerabilities. To this end, FJDynamics officially launches its Bug Bounty Program with the goal of building a collaborative bridge between the company and security researchers. We encourage security enthusiasts worldwide to actively participate in enhancing the security of FJDynamics' products and business systems.

1.  Vulnerability Handling Process 2. Vulnerability Reporting Requirements and Valid Scope 3. Vulnerability Rating Factors and Criteria 4. Vulnerability Disclosure Requirements 5. Participation Rules and Prohibited Activities 6. Disclaimer

1.  Vulnerability Handling Process

1.1 Vulnerability Submission
Security researchers may report their findings in detail by sending an email to infosec@fjdynamics.com. The report must include comprehensive and detailed vulnerability information. A lack of critical details may result in delays or an inability to proceed with the vulnerability assessment.


1.2 Vulnerability Review and Assessment
Upon receiving a vulnerability report, the FJDynamics security team will conduct a preliminary review to determine whether the issue falls within the scope of this program. If it does not, the reporter will be notified via email with an explanation for non-acceptance. If the report is within scope, a formal assessment process will be initiated.
During the assessment phase, the security team will evaluate the vulnerability based on its technical details, test environment information, and other relevant data to verify its authenticity and exploitability, as well as analyze its potential risks.


1.3 Vulnerability Rating and Feedback
Upon completion of the assessment, the security team will assign a severity rating to the vulnerability. Within 7 business days after the rating is finalized, the result will be communicated to the reporter via the official security platform.


1.4 Agreement Signing and Reward Disbursement
The reporter is required to sign a Non-Disclosure Agreement (NDA) with FJDynamics to ensure that all information related to the vulnerability remains confidential and is not disclosed to any third party prior to obtaining official authorization. Reward payments will be processed upon successful completion of the NDA and in accordance with the program’s guidelines.
Valid reports will be rewarded based on the severity of the vulnerability and compliance with our guidelines. Rewards may include monetary compensation, recognition, and our sincere appreciation for your contribution to our security efforts. Confirmed vulnerabilities are expected to be rewarded within 1 to 3 months.


1.5 Vulnerability Remediation and Closure
The FJDynamics security team will strive to resolve and remediate reported vulnerabilities in the shortest possible time. 

2. Vulnerability Reporting Requirements and Valid Scope

2.1 Vulnerability Reporting Requirements
High-quality vulnerability reports are essential for accelerating the assessment and remediation process. Submissions must meet the following criteria:
Vulnerability Details Description:
- Clearly and accurately describe the vulnerability’s underlying principle, triggering conditions, and potential impact.
- Provide detailed, step-by-step instructions to reproduce the vulnerability, ensuring the security team can successfully replicate the issue. Steps must include the sequence of operations, tools used, and parameter configurations.
-  Submit non-destructive proof-of-concept (PoC) evidence. For example: For Remote Code Execution (RCE) vulnerabilities, should Provide test screenshots or videos demonstrating the execution of a simple command (e.g., "hello world"). For data leakage vulnerabilities: Submit a sample of the exposed data (with real user privacy information obfuscated).
Provide Detailed Testing Environment Information:
- Clearly specify the URL, app name, and code snippets (if applicable) associated with the vulnerability.
- For hardware-related vulnerabilities: Provide the device model, firmware version number, and operating system version.  For software-related vulnerabilities: Include the software version and runtime environment (e.g., OS type/version, browser type/version).
- Retain and submit relevant data from testing (e.g., network packet capture files, log files) as attachments to the report.

2.2 Valid Scope for Vulnerability Reports
- Domains: fjdynamics.com、fjdynamics.cn、fjdac.com、fjdac.cn.
- Mobile Applications: FJDynamics, FJD Trion Scan, Jiangdu, FJD Trion Model,  FJDynamics Energy Center, FJD Landscaping (iOS and Android versions).
- Hardware Products and Firmware: FJD Precision Agriculture, FJD Geospatial Surveying, FJD Digital Construction (Limited to products within the official security maintenance period, as specified in the product support list published on the FJDynamics official website).
- Authentication Mechanisms: FJDynamics account login systems, device binding authentication, API interface authorization, and related mechanisms.

2.3 Non-Qualifying Vulnerability Types
- Vulnerabilities already known to or patched by FJDynamics (as documented in official security advisories or vulnerability databases).
- Vulnerability reports targeting products or services that FJDynamics has discontinued selling or officially announced end-of-security-support.
-  Vulnerabilities related to third-party products or services (e.g., third-party plugins, integrated third-party APIs), unless the vulnerability arises from FJDynamics’ integration method and poses a security risk.
- Vulnerabilities that cannot be reproduced, lack critical technical details, or are purely theoretical risks.
- Issues that fall within the scope of normal business operations rather than security defects (e.g., general user experience optimization suggestions, feature requests).

3. Vulnerability Rating Factors and Criteria

3.1 Vulnerability Rating Factors
- Data Security Impact: The sensitivity level of potentially exposed data (e.g., user ID numbers, bank card information, and commercial secrets are classified as highly sensitive; user nicknames and public device information are considered low-sensitivity) and the volume of data affected.
- Exploitation Difficulty: Whether specialized hardware, specific network environments, or high-privilege accounts are required for exploitation, as well as the complexity of the steps involved.
- User and Business Risk: The potential for harm to FJDynamics users (e.g., financial loss, privacy leakage, device damage) and the degree of disruption or negative impact on corporate operations (e.g., production activities, service availability).
- Scope of Impact: The types of products affected, the number of devices or users impacted, and the scale of server clusters vulnerable to the issue.


3.2 Factors Excluded from Rating Considerations
- Time investment by security researchers during the vulnerability discovery process
- .Costs associated with purchasing FJDynamics products for the purpose of vulnerability research.
- Any other factors unrelated to the inherent severity or scope of the vulnerability (e.g., the researcher’s personal background, sophistication of tools used).


3.3 Vulnerability Rating Criteria and Rewards

Vulnerability Severity Levels Definitions Typical Cases
Critical Severity Poses a catastrophic threat to FJDynamics' system integrity and user data security. Easily exploitable with exceptionally broad impact, potentially leading to massive data leakage, complete device compromise, or paralysis of core business operations. 1. Execution of arbitrary code within the Trusted Execution Environment (TEE), bypassing all security protections.
2. Remote execution of arbitrary code enabling control of a significant number of FJDynamics devices, resulting in abnormal operation or systemic compromise.
3. Remote permanent denial of service (DoS), rendering devices inoperable or requiring firmware reflashing for recovery.
High Severity Vulnerabilities Pose significant risks to system security, potentially leading to unauthorized access, sensitive data leakage, or partial business disruption. These vulnerabilities are characterized by relatively low exploitation difficulty and broad impact. 1. Unauthorized access to the Trusted Execution Environment (TEE) to extract stored encryption keys.
2. Remote execution of arbitrary code to compromise individual or a limited number of devices, potentially leading to theft of users’ sensitive data.
3. Remote temporary denial of service (DoS), causing device shutdown or reboot and disrupting normal operation.
Medium Severity Vulnerabilities Pose moderate security risks that may lead to user data exposure or system malfunctions under specific conditions. These vulnerabilities feature medium exploitation difficulty and limited impact scope. 1. Local execution of arbitrary code (without hardware modification) enabling access to users' sensitive data on the device.
2. Unauthorized access to users' non-core sensitive data.
3. Local denial of service requiring manual device restart for recovery.
Low Severity Vulnerabilities Pose minimal security risks that may cause minor impacts to systems or users under specific scenarios. These vulnerabilities are characterized by high exploitation difficulty and extremely limited impact scope. 1. Local execution of arbitrary code (requiring hardware modification) with no access to sensitive data.
2. Minor information disclosure posing negligible security risk.
3. Compatibility-related security issues affecting only specific legacy browsers or operating systems.

By categorizing vulnerabilities into these severity levels, we aim to prioritize our response efforts and allocate resources efficiently to address the most critical threats first, ensuring the security and integrity of our systems and user data. Rewards will reflect the type of vulnerability discovered and reported.


3.4 Reward Guidelines

- Rewards will only be issued to the first reporter of a vulnerability or security intelligence.
- Known vulnerabilities (including those already identified by FJDynamics, reported by other researchers, or documented in official records) are not eligible for rewards.
- If the same vulnerability is reported by multiple researchers, only the first valid report will be rewarded. For collaborative reports, all contributors must be explicitly listed in the submission. Rewards will be distributed based on the contributors’ internal agreement, and FJDynamics will disburse the reward solely to the designated account as per the agreement.
- FJDynamics retains final discretion over reward amounts. Any applicable personal income taxes related to the reward will be borne by the reporter and deducted directly during payment.

4. Vulnerability Disclosure Requirements

 To protect the legitimate rights and interests of FJDynamics and its users, reporters must strictly adhere to the following disclosure rules:
- No disclosure of any vulnerability details (e.g., technical principles, reproduction steps, test data) to any third party (including other security researchers, media, social platforms, etc.) without prior written authorization from FJDynamics.
- After obtaining official authorization, disclosures must objectively and accurately describe the vulnerability’s impact. Reporters must not exaggerate the severity, incite user panic, or publish information that may harm FJDynamics’ brand reputation. Sensitive information (e.g., user data, user privacy, server addresses, source code snippets) must not be disclosed under any circumstances.
- Strictly prohibit selling, trading, or maliciously exploiting vulnerability information (e.g., intimidation, extortion). Violations will result in immediate revocation of rewards and may lead to legal action by FJDynamics.
- Any unauthorized access, download, or distribution of FJDynamics’ source code or data may constitute a legal violation, and FJDynamics reserves the right to pursue all available legal remedies.

5. Participation Rules and Prohibited Activities

5.1 Participation Rules
- Participants must be at least 18 years old and possess full civil capacity. Organizations or enterprises must provide valid proof of legal entity status.
- Strictly adhere to laws and regulations of the People’s Republic of China and the participant’s country/region of residence. Do not use this program to engage in any illegal or criminal activities.
- Respect user privacy and data confidentiality. Do not steal, disclose, or tamper with user data during testing. Avoid any actions that may disrupt normal user experiences.
- Only test products and services explicitly covered under this program. Do not target systems or services outside the designated scope. Testing must remain within boundaries explicitly permitted by FJDynamics.
- Submit vulnerability reports promptly through official channels upon discovery. Do not delay or conceal vulnerabilities. Cooperate with the FJDynamics security team during validation and remediation, providing necessary supplementary information.

5.2 Prohibited Activities
- Exploiting vulnerabilities to harm the interests of FJDynamics or its users, including but not limited to: Stealing user account credentials, private data, or virtual assets. Disrupting device functionality or causing physical damage to devices.
- Downloading, copying, or disseminating FJDynamics’ sensitive information during testing, including source code, core algorithms, or trade secrets.
- Launching malicious attacks against FJDynamics’ systems or devices, such as: Distributed Denial-of-Service (DDoS) attacks. Brute-force attacks that cause system downtime, service interruptions, or data loss.
- Threatening, extorting, or maliciously exaggerating the impact of vulnerabilities to incite public panic via social media, media coverage, or other channels, thereby damaging FJDynamics’ brand reputation.
- Disclosing vulnerability details to third parties or collaborating with them to exploit vulnerabilities for undue gain, prior to remediation and without official authorization.
- Employing harmful or uncontrolled testing methods, such as: Using malicious code that may cause system crashes or data corruption. Conducting tests on user devices without explicit user consent.
- Violating the participation agreement of this program or other officially published rules, and failing to rectify such behavior after notification by FJDynamics.
If a participant engages in any of the prohibited activities outlined above, FJDynamics will Immediately terminate the participant’s eligibility for the program,Revoke all recorded, pending, or issued rewards. Pursue compensation for financial losses through legal means where applicable. Refer illegal activities to judicial authorities for criminal investigation and prosecution.

6. Disclaimer

FJDynamics reserves the right to modify the terms and conditions of the Bug Bounty Program at any time without prior notice. Participation in the program implies acceptance of all applicable rules and guidelines. Rewards may vary based on the severity and impact of the reported vulnerabilities.