Security Bounty Program

QNAP has an uncompromising commitment to information security and has partnered with the security research community to identify and fix vulnerabilities to keep our users, products, and the internet safer. To thank those contributing, QNAP provides rewards through our security bounty program.

Program Scope

Our security bounty program only accepts security vulnerabilities in QNAP products and services. Out-of-scope vulnerabilities will not be eligible for a reward, with exceptions made for out-of-scope reports of critical vulnerabilities depending on the situation.

Operating Systems

Includes QTS, QuTS hero, QuTScloud

Learn more
Applications

Includes QNAP-developed applications

Learn more
Cloud Services

Includes cloud services provided by QNAP

Learn more

How to report the vulnerability and get rewards?

Use the below PGP encryption public key to encrypt your email and send it to security@qnap.com. We will contact you as soon as possible.

Vulnerability Report Suggested Format

Operation Systems

format example
Applications

format example
Cloud Services

format example

PGP encryption key

Copy PGP encryption key

Report Vulnerability

Reward Qualifications

You must be the first researcher to report the vulnerabilities.
You must not have publicly shared any files and/or details related to the vulnerability. This includes uploads to any publicly-accessible websites.
The reported vulnerability is confirmed to be verifiable, replicable, and a valid security issue by the QNAP PSIRT team.
You agree all the terms and conditions of the security bounty program.

The reward may be increased based on:

Format Integrity: Comply with the format examples and provide detailed information when reporting vulnerabilities in operation systems, applications, or cloud services. Format examples: Operation Systems, Applications, Cloud Services.
Steps to Reproduce: Illustrate your steps to reproduce the vulnerabilities.
Problem Descriptions: Clearly and concisely present your troubleshooting and approach.
Other Supporting Information: Include testing code, scripts, and anything else required for your explanation.
Raw Data of Attacks (exploit payload): A report in text form is required for ensuring data integrity. Vulnerability assessments can fall short of QNAP PSIRT's expectations when network payloads were provided in images only.

FAQ

How is the bounty reward determined?

The reward is determined by the complexity of successfully exploiting the vulnerability, the potential exposure, and the percentage of impacted users and systems.

Can I submit a video proof-of-concept?

If videos can make it easier for us to understand how vulnerability are exploited, the QNAP award committee may increase the reward as a result. Please note that written documentation must still be provided (e.g., product information, vulnerability summary and steps to reproduce ) as it helps in managing the vulnerability disclosure process.

What information must be included in a vulnerability report?

A vulnerability report must include at least the following information: the product name, version, and build number where the vulnerability exists, or the URL location for cloud services.
It should also provide a summary of the potential threats posed by the vulnerability, along with clearly detailed replication steps. Additionally, the report can be accompanied by a video demonstrating the vulnerability.

How do I know if my submission has been received by QNAP?

Please use the PGP Key provided by QNAP to encrypt the report and send it to security@qnap.com. The system will automatically respond with a technical support number, which you can use to inquire about the review progress. The QNAP PSIRT team will proactively contact the researcher to verify the completeness of the submitted information. If all the required information has been provided, the researcher will receive a QNAP PSIRT vulnerability confirmation letter within one week. The letter will include the assigned CVE ID for the reported security issue. The award proposal will be notified via email four weeks after the date of the vulnerability confirmation letter. If the researcher agrees, QNAP is expected to make the payment 12 weeks after receiving the confirmation response.

Subscribe QNAP eNews to receive the latest product security news

Subscribe Now A Deep-Dive into Security Advisory

Operating Systems

Rewards up to US$20,000

Reward	Confirmed and rated security vulnerability reports can receive rewards up to $20,000
Products within scope	Only reports about officially released and the latest versions of products, applications and services are accepted. QTS 5.2.0 (and later) QuTS hero h5.2.0 (and later) QuTScloud c5.1.0 (and later)
Restrictions	The security bounty program is strictly limited to vulnerabilities found in QNAP products and services. Actions that may potentially damage or detrimentally affect QNAP servers or data are prohibited. Any vulnerability testing must not violate local or Taiwanese laws. Vulnerability reports are not accepted if they describe or involve: DoS (Denial of Service) attacks on QNAP or user servers. Vulnerability tests that may damage QNAP’s servers or user servers. Physical attacks or social engineering. Disclosure of security vulnerabilities before QNAP approval. Non-critical vulnerabilities in outdated services or products. Vulnerabilities only affecting outdated web browsers. Most types of brute force attacks. Vulnerabilities involving phishing, creating a fake website, or fraudulent behavior. Security vulnerability scan reports that do not include details on the impact of vulnerabilities. Open-source software revealed/unrevealed vulnerability reports. Vulnerabilities in user registration domains (for example: myqnapcloud.com subdomains)

Reward

Confirmed and rated security vulnerability reports can receive rewards up to $20,000

Products within scope

Only reports about officially released and the latest versions of products, applications and services are accepted.

QTS 5.2.0 (and later)
QuTS hero h5.2.0 (and later)
QuTScloud c5.1.0 (and later)

Restrictions

The security bounty program is strictly limited to vulnerabilities found in QNAP products and services. Actions that may potentially damage or detrimentally affect QNAP servers or data are prohibited. Any vulnerability testing must not violate local or Taiwanese laws.

Vulnerability reports are not accepted if they describe or involve:

DoS (Denial of Service) attacks on QNAP or user servers.
Vulnerability tests that may damage QNAP’s servers or user servers.
Physical attacks or social engineering.
Disclosure of security vulnerabilities before QNAP approval.
Non-critical vulnerabilities in outdated services or products.
Vulnerabilities only affecting outdated web browsers.
Most types of brute force attacks.
Vulnerabilities involving phishing, creating a fake website, or fraudulent behavior.
Security vulnerability scan reports that do not include details on the impact of vulnerabilities.
Open-source software revealed/unrevealed vulnerability reports.
Vulnerabilities in user registration domains (for example: myqnapcloud.com subdomains)

Applications

Rewards up to US$10,000

Reward	Confirmed and rated security vulnerability reports can receive rewards up to $10,000
Products within scope	Only reports about officially released and the latest versions of products, applications and services are accepted. The program only accepts reports of security vulnerabilities in the following applications: Helpdesk License Center Malware Remover myQNAPcloud Link Network & Virtual Switch Notification Center QTS SSL Certificate QuLog Center Resource Monitor Qsync Central HBS 3 Hybrid Backup Sync Qboost Mulitimedia Console Media Streaming add-on QVPN Service Virtualization Station Container Station QuFirewall Download Station Video Station Photo Station QuMagie
Restrictions	The security bounty program is strictly limited to vulnerabilities found in QNAP products and services. Actions that may potentially damage or detrimentally affect QNAP servers or data are prohibited. Any vulnerability testing must not violate local or Taiwanese laws. Vulnerability reports are not accepted if they describe or involve: DoS (Denial of Service) attacks on QNAP or user servers. Vulnerability tests that may damage QNAP’s servers or user servers. Physical attacks or social engineering. Disclosure of security vulnerabilities before QNAP approval. Non-critical vulnerabilities in outdated services or products. Vulnerabilities only affecting outdated web browsers. Most types of brute force attacks. Vulnerabilities involving phishing, creating a fake website, or fraudulent behavior. Security vulnerability scan reports that do not include details on the impact of vulnerabilities. Open-source software revealed/unrevealed vulnerability reports. Vulnerabilities in user registration domains (for example: myqnapcloud.com subdomains)

Reward

Confirmed and rated security vulnerability reports can receive rewards up to $10,000

Products within scope

Only reports about officially released and the latest versions of products, applications and services are accepted.

The program only accepts reports of security vulnerabilities in the following applications:

Helpdesk
License Center
Malware Remover
myQNAPcloud Link
Network & Virtual Switch
Notification Center
QTS SSL Certificate
QuLog Center
Resource Monitor
Qsync Central
HBS 3 Hybrid Backup Sync
Qboost
Mulitimedia Console
Media Streaming add-on
QVPN Service
Virtualization Station
Container Station
QuFirewall
Download Station
Video Station
Photo Station
QuMagie

Restrictions

Vulnerability reports are not accepted if they describe or involve:

DoS (Denial of Service) attacks on QNAP or user servers.
Vulnerability tests that may damage QNAP’s servers or user servers.
Physical attacks or social engineering.
Disclosure of security vulnerabilities before QNAP approval.
Non-critical vulnerabilities in outdated services or products.
Vulnerabilities only affecting outdated web browsers.
Most types of brute force attacks.
Vulnerabilities involving phishing, creating a fake website, or fraudulent behavior.
Security vulnerability scan reports that do not include details on the impact of vulnerabilities.
Open-source software revealed/unrevealed vulnerability reports.
Vulnerabilities in user registration domains (for example: myqnapcloud.com subdomains)

Cloud Services

Rewards up to US$5,000

Reward	Confirmed and rated security vulnerability reports can receive rewards up to $5,000
Products within scope	Only reports about officially released and the latest versions of products, applications and services are accepted. The program only accepts reports of security vulnerabilities in the following domains : www.myqnapcloud.com (not including user registration subdomains) organization.qnap.com (including subdomains) amizcloud.qnap.com (including subdomains) license.qnap.com (including subdomains) www.qmiix.com (including subdomains) account.qnap.com (including subdomains) quwan.qnap.com (including subdomains)
Restrictions	The security bounty program is strictly limited to vulnerabilities found in QNAP products and services. Actions that may potentially damage or detrimentally affect QNAP servers or data are prohibited. Any vulnerability testing must not violate local or Taiwanese laws. Vulnerability reports are not accepted if they describe or involve: DoS (Denial of Service) attacks on QNAP or user servers. Vulnerability tests that may damage QNAP’s servers or user servers. Physical attacks or social engineering. Disclosure of security vulnerabilities before QNAP approval. Non-critical vulnerabilities in outdated services or products. Vulnerabilities only affecting outdated web browsers. Most types of brute force attacks. Vulnerabilities involving phishing, creating a fake website, or fraudulent behavior. Security vulnerability scan reports that do not include details on the impact of vulnerabilities. Open-source software revealed/unrevealed vulnerability reports. Vulnerabilities in user registration domains (for example: myqnapcloud.com subdomains)

Reward

Confirmed and rated security vulnerability reports can receive rewards up to $5,000

Products within scope

Only reports about officially released and the latest versions of products, applications and services are accepted.

The program only accepts reports of security vulnerabilities in the following domains :

www.myqnapcloud.com (not including user registration subdomains)
organization.qnap.com (including subdomains)
amizcloud.qnap.com (including subdomains)
license.qnap.com (including subdomains)
www.qmiix.com (including subdomains)
account.qnap.com (including subdomains)
quwan.qnap.com (including subdomains)

Restrictions

Vulnerability reports are not accepted if they describe or involve:

DoS (Denial of Service) attacks on QNAP or user servers.
Vulnerability tests that may damage QNAP’s servers or user servers.
Physical attacks or social engineering.
Disclosure of security vulnerabilities before QNAP approval.
Non-critical vulnerabilities in outdated services or products.
Vulnerabilities only affecting outdated web browsers.
Most types of brute force attacks.
Vulnerabilities involving phishing, creating a fake website, or fraudulent behavior.
Security vulnerability scan reports that do not include details on the impact of vulnerabilities.
Open-source software revealed/unrevealed vulnerability reports.
Vulnerabilities in user registration domains (for example: myqnapcloud.com subdomains)

Storage

Networking

Expansion Accessories

Surveillance

NAS

Networking

Surveillance

Program Scope

Operating Systems

Applications

Cloud Services

How to report the vulnerability and get rewards?

Vulnerability Report Suggested Format

Operation Systems

Applications

Cloud Services

PGP encryption key

Reward Qualifications

The reward may be increased based on:

FAQ