We value cybersecurity and are committed to continuously strengthening the protection of our websites. If you are a security researcher and discover a potential vulnerability on our site, we sincerely invite you to report it — eligible reports will be rewarded.

 

 

Scope of the Program

This bug bounty program applies only to the following websites:

http://www.auo.com

 

Reports are limited to public pages and functionality belonging to the websites listed above. Do not test company internal systems, third-party services, or non-public endpoints.

 

AUO reserves the right to modify this list at any time without prior notice.

 

 

Eligibility Criteria

To ensure legality and simplify verification, this program only accepts participants who are citizens of the Republic of China (Taiwan) and at least 18 years old.

 

Participants must provide valid identification when submitting a report for identity verification and subsequent reward disbursement.

 

Acceptable Vulnerability Types (including but not limited to):

 

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Authentication bypass
  • Privilege escalation
  • Server-side programming errors (e.g., remote code execution, SQL injection)
  • Sensitive data exposure (e.g., unauthorized access to personal data or configuration files)

 

 

Items Not Eligible for Rewards

To focus on website security itself, the following items will not be eligible for rewards:

 

  • Low-risk information discovered by automated tooling
  • Clickjacking
  • Missing HTTP headers (e.g., CSP, HSTS)
  • Publicly available information such as whois data or metadata
  • Denial-of-service testing (e.g., DoS attacks)
  • Social engineering or phishing
  • Zero-day vulnerabilities or attacks disclosed publicly within the past 90 days
  • Vulnerability scan reports that do not detail the security impact
  • Theoretical risks without a concrete proof-of-concept (PoC)

 

 

Reporting Priority Rule

If two or more participants discover and report the same vulnerability concurrently, the reward will be granted to the person who submitted the first complete report. Subsequent reporters are appreciated but will not receive an additional reward.

 

 

Responsible Disclosure Policy

We encourage responsible disclosure. Participants must adhere to the following principles:

 

  • Do not exploit or publicly disclose vulnerability details.
  • Do not disrupt services or affect other users.
  • Perform only non-intrusive testing.
  • Stop testing immediately once a vulnerability is found and submit a report.

 

Reported v