Security Vulnerability Report

Vulnerability submission

How to report a security vulnerability issue

If you have a security vulnerability issue with a Nothing product or application, please send an e-mail to

Use the public PGP key to encrypt email with sensitive information and to verify that security communications sent by Nothing are genuine.

Active Date: July 4, 2022

Expiration Date: N/A

Key ID: 0xA785B8AA

Key Type: RSA

Key Size: 4096/4096

Fingerprint: 96A4 6E60 11B0 32D9 8D54 B384 F6EF CEC6 A785 B8AA

User ID:

In your email, please provide the following information:

  • Detailed description of the issue
  • The products and software versions
  • Information on known exploits
  • Vulnerability category
  • Vulnerability title
  • Domain name
  • Vulnerability level
  • Vulnerability description
  • Additional details
  • Attachments (if any)
  • Repair plan

Please detail the process of discovering the issue and its impact. Please also include any relevant code source documents, screenshots or videos. If you used debugging tools during the vulnerability exploitation process, please upload them as attachments. If the tools are too large, please provide a download link. Additionally, please provide the vulnerability proof of concept or exploit. 

Note: failure to meet these requirements may result in your report not passing the review process.

Once we receive your vulnerability report, we will complete the verification process within 30 working days and reply to your vulnerability email with the results. Please continue to monitor your email for updates. only collects security vulnerabilities related to Nothing products. If you have other product related issues, you can reach us via our contact us page.

Vulnerability rewards

Vulnerability rewards incentivise individuals to report security vulnerabilities. Rewards are tiered based on the vulnerability levels, with more critical issues earning higher rewards. The table below outlines the vulnerability levels and rewards.


$1000 - $2000

Disclosure of sensitive information, unauthorised access to core systems or large amounts of sensitive information, ultra vires on sensitive operations.


$500 - $1000

Vulnerabilities that directly obtain permissions, lead to leakage of sensitive information, and steal internal user information.


$100 - $500

Vulnerabilities that require interaction to obtain permissions, lead to serious information leakage, and steal internal user information.


$20 - $100

Only in a specific environment can access permissions lead to information leakage, theft of internal user information vulnerabilities.

If the store coupon is not available in your region, we will convert it into other rewards on a pro-rata basis.

Terms and conditions apply to all vouchers. Voucher amounts and types are at Nothing's sole discretion.


The following situations will not be rewarded:

  1. Vulnerabilities unrelated to the Nothing products.
  2. Vulnerabilities that were made public before they were fixed.
  3. Vulnerabilities that have been publicly disclosed online.
  4.  For the same vulnerability, only the first reporter will be rewarded; subsequent reporters will not receive a reward. A vulnerability found in different versions is still considered the same vulnerability.
  5.  Those who exploit vulnerabilities to harm user interests, disrupt business operations, or steal user data will not receive any rewards. Additionally, Nothing reserves the right to take further legal action.
  6. By participating in the vulnerability submission program, you acknowledge and agree that any rewards granted are subject to the terms and conditions of this program. If rewards are provided in the form of cash or are otherwise taxable, it is your responsibility to comply with local tax laws and declare and pay any applicable taxes associated with the reward received. Nothing is not responsible for any individual tax obligations that may arise.
  7. Due to legal restrictions, Nothing may not be able to process rewards for countries/regions that are subject to sanctions. 

Rewards will be downgraded or cancelled in the following situations:

  1. For information with serious discrepancies between the title and content, vulnerability downgrading will be carried out accordingly, in serious cases rewards will be cancelled..
  2. Review will be moderated based on high-quality reporting standards. For reports that lack key factors (text description, image proof, testing process, risk interface, parameters, etc.), have  poor structured report layout, and cannot be consistently reproduced, they will be downgraded/ignored.
  3. Publicly disclosing details of vulnerabilities without Nothing's permission In such cases, Nothing reserves the right to recover vulnerability rewards and take appropriate legal action, including seeking damages and/or injunctive relief.

For the same URL, if there are similar vulnerabilities in multiple parameters, rewards will be given according to one vulnerability, and rewards will be given according to the greatest degree of harm for different types.

Multiple vulnerabilities generated by the same source are counted as a single vulnerability. For example, multiple security bugs caused by the same JS, multiple page security bugs caused by the same publishing system, whole station security bugs caused by frameworks, multiple security bugs generated by domain name resolution, etc.

If you submit multiple vulnerabilities in the same report, we will reward you with the highest damage level vulnerability.

When submitting a vulnerability, please confirm whether it will have a real impact on the business and submit proof of actual harm. Indirect harm or speculative harm will not be considered when grading.

Reward Distribution Cycle:

We will distribute rewards within 30 working days upon completing the verification of the vulnerability via email(?). Please check your reward status promptly.

Personal Information Involved

To receive the reward, you need to provide your account or other account information. However, we will not request any additional personal information during the vulnerability submission process. We will only require your registered email address for communication and your registered account information for the reward issuance.

We will access, process, and share your personal information in accordance with our Privacy Policy. By participating , you agree to the access, use, and sharing of your personal information as described above and in our Privacy Policy. If you have any questions regarding this Privacy Policy or its implementation, here is how you can reach us: Email Address: