Support
BugReport
TVT Security Response Center (TSRC) Vulnerability Submission and Disclosure Policy
I. Overview
TVT has always been committed to technological research and product application in the field of video security. We place great importance on product security and customer experience, and sincerely thank every researcher who contributes to the security ecosystem.
The Purpose of the Policy :
• Build a smooth collaboration channel with security researchers and encourage responsible vulnerability disclosure;
• Define the complete process for vulnerability submission, evaluation, remediation, and rewards;
• Continuously reduce product security risks and effectively protect end-user privacy and security.
II. Vulnerability Submission and Handling Process
Submission Channel
Please submit vulnerabilities via the following email address: tsrc@tvt.net.cn
Note: This email address is only for vulnerability submissions, product security, and compliance-related issues. To ensure your requests are addressed promptly, please use other channels for other types of inquiries.
Vulnerability Handling Process
Vulnerability Submission → Verification → Confirmation → Remediation → Reward Confirmation → Reward Issuance

We commit to a response time of no more than 7 working days from vulnerability submission to confirmation.
General Vulnerability Inclusion and Evaluation Criteria
This policy applies to all non-EOS products of TVT. Based on your vulnerability submission, we will classify the issues based on actual impact into five levels: Critical, High, Medium, Low, and Ignored. The detailed descriptions are as follows:
• Critical
○ Direct access to system core privileges without any authentication, e.g., remote code execution (RCE) on the front end, unauthorized file upload leading to server privilege escalation (getshell).
○ Severe logic design flaws, e.g., critical security issues related to payment operations.
○ Major information disclosure, e.g., complete disclosure of product source code.
• High
○ High-risk unauthorized operations, e.g., unauthorized access to the administration background, unauthorized access to audio/video data.
○ High-risk information disclosure, e.g., directory traversal, SQL injection obtaining core system user information; SSRF vulnerabilities that can receive multiple protocols and cause actual harm (those used only for information gathering will not be included).
○ High-risk logic flaws, e.g., ability to reset any core system user password, bypassing login restrictions to gain core system account privileges.
• Medium
○ Obtaining system core privileges after authentication, e.g., backend RCE, backend file upload leading to getshell.
○ Disclosure of sensitive information stored locally that can be effectively exploited.
○ Ordinary unauthorized/privilege escalation operations, e.g., unauthorized or privilege-escalated calls to non-core business interfaces.
○ Ordinary information disclosure, e.g., SQL injection involving non-sensitive information.
○ Ordinary logic flaws, e.g., low-privilege users being able to arbitrarily reset passwords.
• Low
○ Vulnerabilities that require user interaction to successfully exploit, e.g., stored/reflected XSS, cross-site request forgery (CSRF).
○ Low-risk unauthorized/privilege escalation operations, e.g., very limited impact and negligible harm.
○ Low-risk information disclosure, e.g., SQL injection returning empty data.
○ Low-risk logic flaws, e.g., SMS verification code bombing (more than 5 concurrent requests).
• Ignored
○ Issues related to versions or firmware obtained through non-public channels.
○ Discontinued or early version/firmware issues, or non-product issues.
○ Weak passwords.
○ Denial-of-service attacks.
○ Vulnerabilities that cannot be reproduced or have only theoretical risk without PoC, as well as vulnerabilities generated by AI without manual verification.
○ Social engineering attacks, physical access attacks.
○ SSRF, CSRF, or XSS with no practical impact.
○ Information disclosure with no practical significance, e.g., software version numbers.
○ Non-exploitable or no potential impact, e.g., entering specific interfaces solely by intercepting with packet capture tools.
○ Security hardening or best practice issues, e.g., SSL/TLS configuration suggestions, missing HTTP security headers, CSP policies.
○ Issues without practical impact, e.g., display errors, front-end style anomalies.
Recommended Report Format
The quality of the report will affect the rating and reward determination directly. Thank you for your understanding and cooperation. Below is a suggested vulnerability report format:
1. Vulnerability Title: Brief description, e.g., "XX product has XX vulnerability"
2. Vulnerability Rating: Self-assessed severity: Critical / High / Medium / Low
3. Affected Products: Please specify product name, model, and firmware version
4. Vulnerability Description: Brief explanation of the principle of vulnerability and potential impact
5. Reproduction Steps: Detailed steps with complete screenshots and PoC
6. PoC/EXP/Packets: Provide relevant vulnerability packets, PoC, or EXP scripts
7. Remediation Suggestions: Description of remediation suggestions
Submission Guidelines
• For the same type of vulnerability across similar products, we will only accept the first instance. Thank you for your understanding.
• If firmware analysis is involved, please indicate the firmware version and extraction method in the report. If network protocol analysis is involved, please attach the corresponding pcap file and protocol interaction sequence to facilitate vulnerability reproduction.
• If a reported vulnerability cannot be reproduced, our security researchers will contact you to verify details. If necessary, we may ask you to provide a detailed screen recording of the reproduction steps. Your cooperation is appreciated.
• Please do not disclose any vulnerability details obtained during your testing in public channels. We deeply appreciate this.
• TVT reserves the right of final interpretation of vulnerability ratings and reward rules, and will update the policy as needed.
Thank you for your attention and support of the TVT’s product safety. We look forward to working with you to safeguard user trust and privacy in the field of video security.





