How to report a security vulnerability

If you have information about a security vulnerability with a CMF by Nothing product or technology, please send an e-mail to
Encrypt sensitive information using our PGP public key. Please provide more detailed information, including:
  • The products and software versions
  • Detailed description
  • Information on known exploits
A member of the CMF by Nothing Security Team will review your e-mail and contact you to collaborate on resolving the issue. only collects security vulnerabilities related to CMF by Nothing products. If you have other product related issues, please give feedback on

PGP Public Keys

Use the public PGP key to encrypt email with sensitive information and to verify that security communications sent by CMF by Nothing are genuine.
  • Active Date: December 4, 2023
  • Expiration Date: Never
  • Key ID: 5FC6 17E8
  • Key Type: RSA
  • Fingerprint: BC02435AAC1506132BD2235BAA45224A5FC617E8
  • User ID:


Vulnerability Reward Rules

Processing flow:




Vulnerability Submission

To submit a vulnerability report, please send an email to the designated account with your registered email address for communication and rewards. The email should contain the following information: vulnerability category, title, domain name, vulnerability level, vulnerability description, details, attachments, and repair plan. 

The details section should include a description of the vulnerability testing or discovery process and the scope of impact. Please provide relevant code source documents, screenshots, and videos if necessary. If you used debugging tools during the exploitation process, please upload them as attachments. If the tools are too large, please provide a download link. Additionally, please provide the vulnerability proof of concept or exploit. 

Please note that failure to meet these requirements may result in your report not passing the review process. 

Once we receive your vulnerability report, we will complete the verification process within 30 working days and reply to your vulnerability email with the results. Please continue to monitor your email for updates.


Vulnerability Reward Rules


Vulnerability Level

Vulnerability Definition

Mall Coupon Reward Amount Range (USD)


Disclosure of sensitive information, unauthorized access to core systems or large amounts of sensitive information, ultra vires on sensitive operations.



Vulnerabilities that directly obtain permissions, lead to leakage of sensitive information, and steal internal user information.



Vulnerabilities that require interaction to obtain permissions, lead to serious information leakage, and steal internal user information.



Only in a specific environment can access permissions lead to information leakage, theft of internal user information vulnerabilities.


If the store coupon is not available in your area, we will convert it into other rewards on a pro-rata basis.

We will complete the reward distribution within 30 working days after the completion of vulnerability verification. Please check your reward in time. 


The following situations will not be rewarded:

1.Vulnerabilities unrelated to the CMF product.

2.Vulnerabilities that were made public before they were fixed.

3.Vulnerabilities that have been publicly disclosed online.

4.For the same vulnerability, the first reporter will be rewarded, and other reporters will not be rewarded. The same vulnerability in different versions is considered the same vulnerability.

5.Those who use vulnerabilities as a reason to harm user interests, affect business operations, or steal user data will not receive any points, and Nothing reserves the right to take further legal action.


The following situations will be downgraded/refunded rewards:

1.For information with serious discrepancies between the title and content, vulnerability downgrading will be carried out according to the plot, and serious cases will be treated as vulnerability/intelligence neglect.

2.Review colleagues will conduct report content moderation based on high-quality reporting standards. For reports that lack key factors (text description, image proof, testing process, risk interface, parameters, etc.), have chaotic report layout, and cannot be stably reproduced, they will be downgraded/ignored.

3.Without Nothing's permission, privately disclose vulnerability details to the public, recover vulnerability rewards, and reserve the right to sue legally.


For the same URL, if there are similar vulnerabilities in multiple parameters, rewards will be given according to one vulnerability, and rewards will be given according to the greatest degree of harm for different types.


Multiple vulnerabilities generated by the same vulnerability source are counted as one vulnerability. For example, multiple security bugs caused by the same JS, multiple page security bugs caused by the same publishing system, whole station security bugs caused by frameworks, multiple security bugs generated by domain name resolution, etc.


Submit multiple vulnerabilities in one report and reward the vulnerability with the highest level of harm..


When submitting a vulnerability, please confirm whether it will have a real impact on the business and submit proof of actual harm. Indirect harm or speculative harm will not be considered when grading.

Coupon Distribution Cycle

We will distribute rewards within 30 working days upon completing the verification of the vulnerability. Please check your reward status promptly.

Personal Information Involved

To receive the reward, you need to provide your NOTHING Mall account or other account information. However, we will not request any additional personal information during the vulnerability submission process. We will only require your registered email address for communication and your registered account information for the reward issuance.