Security Vulnerability Reporting Policy

NIO values and appreciates the efforts of security researchers and security labs to improve the security of NIO information and products. NIO supports good-faith penetration testing by security researchers and security labs, and is committed to working closely with this community to verify, reproduce and respond to legitimate reported vulnerabilities based on feedback. And we encourage this community to participate in our security vulnerability reporting process by following the appropriate processes.

If you are a security researcher and you find a security vulnerability in the course of good-faith penetration testing, you can submit it through the NIO SRC platform. We will issue a reward through the platform after verification. For more information, please visit the NIO SRC platform.

NIO SRC Platform

In order to ensure that legitimate rights such as information security, privacy and personal safety of others will not be violated, these penetration tests must meet the relevant laws and regulations of the People's Republic of China, and the rules of the NIO SRC platform. You understand and agree that, unless authorized by NIO or in accordance with the law, you will not disclose information about penetration testing and vulnerabilities to third parties outside the NIO SRC platform, nor will you use the above information for purposes other than the discovery, verification or remediation of vulnerabilities in good faith. You should strictly abide by the test specifications when conducting penetration tests, and must not cause actual business losses and impacts on NIO. If you cause any loss or impact to NIO due to your violation of laws and regulations or this policy, you shall bear the corresponding responsibility and NIO reserves the right to hold you accountable.