Bambu Lab Bug Bounty Program​

The Bambu Lab Bug Bounty program is an opportunity for cybersecurity enthusiasts, ethical hackers, and security researchers to collaborate with us in further securing our digital infrastructure. We fully understand the importance of staying ahead of potential security threats and patching any vulnerabilities.​

Why a Bug Report Program?​

In today's interconnected world, cybersecurity is a top priority when developing complex machines and services. Despite our best efforts, no system is entirely immune to vulnerabilities and with the Bambu Lab Bug Bounty Program, we aim to get help in ensuring the safety and integrity of our systems. This proactive approach not only strengthens our security systems but also further improves safety and reliability for our customers.​

How It Works:​

Participating in The Bambu Lab Bug Bounty Program is straightforward:​

  1. Discover: Security Researchers can commence testing and exploration within the defined parameters, hunting for potential vulnerabilities according to the Scope and Eligibility and following the Rules of Engagement.​
  2. Report: Upon discovering a security issue, participants can submit a detailed report by sending an email to with their findings. ​
  3. Validation: Our team of experts will promptly review each submission to verify its legitimacy and severity, and will provide a reply in less than 1 week after receiving the message.​
  4. Reward: Valid reports will be rewarded based on the severity of the vulnerability and adherence to our guidelines. Rewards include monetary compensation, recognition, and our heartfelt gratitude for contributing to our security efforts. Rewards for confirmed vulnerabilities are expected to be paid out within 1 to 3 months.
  5. Resolution: Once validated, our team will work diligently to address and remediate the reported vulnerabilities in the shortest time possible. ​

Vulnerability reporting process

Scope and Eligibility:​

The Bambu Lab Bug Bounty Program covers the following items:​

  • Web applications: *,
  • Mobile application: Bambu Handy (iOS and Android)​
  • Firmware: X1 Series, P1 Series, A1 Series​
  • Authentication mechanisms

Response processing time​

  1. Fatal vulnerabilities are followed up and dealt with within 48 hours, and preliminary conclusions and ratings are given.​
  2. High-risk vulnerabilities will be followed up and dealt with within 3 working days, and preliminary conclusions and scores will be given.​
  3. The remaining vulnerabilities will be followed up and scored within 7 working days. If the reporter thinks it is an emergency, an email can be sent to, and the email will be processed after confirmation by the auditor.​
  4. The repair time for vulnerabilities generally does not exceed 90 days, and the difficulty of repairing​

vulnerabilities may vary.

Types of Vulnerabilities and Reward Tiers​

Critical vulnerabilities represent the most severe threats to our system's integrity and user data. They have the potential to cause catastrophic damage and compromise large portions of our infrastructure. Examples include:​

  1. Execute Arbitrary Code in a Viable Trusted Execution Environment (TEE):​    
    This vulnerability allows an attacker to execute arbitrary code within a Trusted Execution Environment (TEE), bypassing security measures and gaining unauthorized access to sensitive data and functionalities.​
  2. Execute Arbitrary Code Remotely, Resulting in Device Control:​    
    Attackers can remotely execute arbitrary code on devices, leading to complete control over a significant number of devices within our network. This can result in data breaches, privacy violations, and widespread disruption of services.​
  3. Remote Permanent Denial of Service (Device Bricks or Requires Complete Firmware Reburning to Recover):​    
    Vulnerabilities in this category can render devices permanently inoperable or require extensive firmware reinstallation to restore functionality. Such incidents can lead to significant financial losses and reputational damage.​
  4. Bypass and Secure Boot Mechanism:​    
    This vulnerability enables attackers to bypass secure boot mechanisms, compromising the device's integrity and allowing unauthorized code execution during the boot process, posing a severe security risk.​

High-severity vulnerabilities pose substantial risks to our system's security and may result in unauthorized access, data breaches, or service disruptions. Examples include:​

  1. Unauthorized TEE Access:​    
    This vulnerability allows attackers to gain unauthorized access to the Trusted Execution Environment (TEE), potentially compromising sensitive data and critical system functionalities.​
  2. Remote Arbitrary Code Execution, Resulting in Device Control:​    
    Attackers can remotely execute arbitrary code on individual devices, gaining control over them and potentially exploiting them for malicious purposes.​
  3. Remote Temporary Denial of Service (Device Downtime or Restart):​    
    Vulnerabilities in this category can lead to temporary denial of service, causing device downtime or requiring system restarts to restore normal operations.​
  4. Remote Access to User Sensitive Data and Protected Model Files:​    
    This vulnerability allows unauthorized access to user-sensitive data and protected model files, jeopardizing user privacy and confidentiality.​

Medium-severity vulnerabilities represent potential security risks that could compromise user data or system functionality to a moderate extent. Examples include:​

  1. Local Arbitrary Code Execution (No Hardware Changes):​    
    Attackers can execute arbitrary code on local devices without requiring hardware modifications, potentially accessing sensitive data or affecting system operations.​
  2. Local Access to User Sensitive Data and Protected Model Files:​    
    This vulnerability allows local access to user-sensitive data and protected model files, posing a moderate risk to user privacy and data security.​

Low-severity vulnerabilities typically have limited impact and pose minimal risk to our system's security and user data. Examples include:​

  1. Local Arbitrary Code Execution (Using Hardware Modifications):​    
    This vulnerability requires hardware modifications for local arbitrary code execution, limiting its practical exploitation and impact on our system's security.​

By categorizing vulnerabilities into these tiers, we aim to prioritize our response efforts and allocate resources effectively to address the most critical threats first, ensuring the security and integrity of our systems and user data. The monetary reward will reflect the type of vulnerability found and reported. ​

Rules of Engagement​

To ensure a productive and harmonious collaboration, we've established rules of engagement for participants, including:​

  • Respect for user privacy and data confidentiality​
  • Prohibition of any actions that may disrupt or compromise our services​
  • Compliance with all applicable laws and regulations​

Prohibited Actions​

Participants are strictly prohibited from engaging in the following activities:​

  • Exploiting vulnerabilities to harm users' interests, including but not limited to stealing user profiles, privacy, and virtual property.​
  • Downloading any code and data from Bambu Lab during the vulnerability testing process. ​
  • Using vulnerabilities to attack Bambu Lab's system, causing system downtime or failure.​
  • Intimidating, extorting, or maliciously exaggerating the impact of vulnerabilities to cause public panic.​
  • Irresponsible disclosure of vulnerabilities, including malicious dissemination or trading of vulnerabilities before they are fixed.​
  • Engaging in harmful or uncontrollable safety testing practices.​
  • Testing that violates international general laws or local regulations.​
  • Failing to properly safeguard data during the vulnerability testing process, resulting in losses suffered by Bambu Lab.​

Report a bug​

Ready to make a difference? If you wish to report vulnerabilities found in our services, please send an email to


Bambu Lab reserves the right to modify the terms and conditions of the Bug Bounty Program at any time without prior notice. Participation in the program implies acceptance of all applicable rules and guidelines. Rewards are subject to change based on the severity and impact of reported vulnerabilities.