Submit bug report:
https://www.adafruit.com/responsibledisclosurethanks/Reporting Security Issues
At Adafruit, we understand that security is essential in maintaining the trust you place in us to provide products and services to you. Although our team works vigilantly to help keep customer information secure, we recognize the important role that security researchers and our user community play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or service, we ask for your help in disclosing it to us in a responsible manner.
If you discover a site vulnerability or are a customer who is concerned your account has been compromised, please notify us via security@adafruit.com. We encourage you to encrypt sensitive information; please see below for our public PGP key. For verified vulnerabilities and bugs, we may offer certain rewards for your smarts and efforts at our discretion as a thank you (such as store credit and Adafruit gear!).
To researchers who have reported valid security vulnerabilities can opt to be added to our hall of fame listed here in the "Hall of Fame":
https://www.adafruit.com/responsibledisclosurethanks/When reaching out to us, please include:
A detailed summary of the issue, including a list of steps for how we can reproduce it.
Correct contact information, such as an email address, by which we can reach you in case we need more information.
Whether and how you would like us to identify you in our "Hall of Fame".
We believe in placing our users' interests first. We believe that responsible disclosure involves privately notifying us of any security vulnerabilities, and allowing us appropriate time to diligently address the vulnerabilities before making full disclosure to the public. For our part, while we are working on addressing the vulnerability, we will advise customers of potential risk if appropriate where it does not increase the overall risk to customers. We will do our best to notify you as soon as the vulnerability has been addressed and ask that you do not disclose it publicly or share it with others until then.
We appreciate these types of research activities, but will not tolerate any actions that put our users at risk:
Do not attempt to access, modify, destroy, or disclose our users' information.
Do not attempt to deface or degrade our services.
Do not violate applicable law.
Reporting your vulnerability
Submissions must include written instructions for reproducing the vulnerability.
If reporting vulnerabilities as a video, we ask you to not post POCs publicly without our consent to video-sharing sites such as Youtube, Vimeo . In the case that you need to share a video please ensure it is password protected.
We ask you do not publicly disclose your submission until Adafruit has evaluated the impact.
The combined contributions of all security professionals in our community are essential to keeping us all secure. We thank everyone in the community for their efforts.
INSCOPE DOMAINS
*adafruit.com
*adafruitdaily.com
NOT INSCOPE
makecode.adafruit.com (Microsoft).
IoT devices used by a 3rd party.
Broken links.
New user email - Registered users are not required to validate their email address by default.
Public Wishlists - Wishlists are private by default, users must choose to make list public.
Account squatting.
REWARDS
$25 to $50 via PayPal and/or store credit = CVSS Score 0.0 - 6.5
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS, DOM & Reflected)
Server Side Request Forgery (SSRF)
Protection Mechanism bypasses (CSRF bypass, etc.)
Directory Traversal
IDOR (Privilege Escalation)
$100 to $150 via PayPal and/or store credit = CVSS Score 6.5 - 10.0
SQL injections
Privilege Escalations
Code Executions
Cross-Site Scripting (Stored)
File inclusions (Local & Remote)
Authentication Bypasses
Leakage of sensitive data
Payment manipulation
Administration portals without authentication mechanism
Open redirects which allow stealing tokens/secrets
OUT OF SCOPE VULNERABILITIES
Captcha related.
Social Engineering attacks.
Outdated OS/browser vulnerabilities.
Self-XSS.
Man in the Middle (MiTM) attacks.
Denial of Service.
Generic output from scanning tools (software version, missing security headers, etc).
Missing SPF records.
Brute force attacks compromising existing users.
We do not consider XMLRPC in itself a vulnerability. XMLRPC specific methods such as pingback and getUsersBlogs are disabled therefore out of scope. We will review reports for other methods.
The CircuitPython AWS S3 bucket is intentionally left public.The reported bucket
https://adafruit-circuit-python.s3.amazonaws.com is our public s3 bucket for people to use with our SAMD21 boards. This is public knowledge as stated in our tutorial which was published December 2018 which is why the library reports dating that far back.
User's AIO (adafruit.io) keys on Github not part of our internal team/use. Adafruit IO keys (AIO KEY) belonging to users are considered a 3rd party and not in scope as these are independent IoT projects.
Only one reward per bug.
Rewards over the listed amount are at our discretion.
PGP key information:
We encourage you to encrypt sensitive information you send to us as a part of your vulnerability disclosure. You can use our PGP key to send us sensitive information via security@adafruit.com
