submit bug report: http://ecobee.comAbout
We make wi-fi enabled smart thermostats for residential and commercial applications that are intuitive to use and beautiful to look at. We help you maximize comfort and savings without compromising your lifestyle.
Story
Before founding ecobee in 2007, Stuart Lombard was on a mission to reduce his family’s carbon footprint and save money. He found a lot of ways to conserve energy but most were complex and costly. However, he discovered that heating and cooling made up the majority of his home energy use. So, he tried a programmable thermostat. It turned out to be really complicated, even for someone with an engineering degree. And, unreliable. When Stuart and his family came home one winter day to find their house freezing, they'd had enough. He knew there had to be a better way and decided to build his own thermostat. A truly smart thermostat, that was easy to install, smart enough to deliver comfort, conserving energy and pay for itself in energy savings. That day, ecobee was born.
Reporting Criteria
Failure to meet these criteria will most likely result in an Informative or NA report:
Must include steps to reproduce the vulnerability
Must include a working Proof of Concept
NO: "Leaked keys"
YES: PoC showing how the leaked keys are used to gain access ...
Response Targets
We do not work on weekends - please be patient. If we require additional information from you, please allow for another 2-3 days for our team to review and respond.
Response Target Time (in business days)
First response (from report submit) 2 days
Triage (from report submit) 2 days
Resolution Depends on severity and complexity
Test Instructions for Application Testing
You MUST use your HackerOne email alias when registering for an ecobee account
You must ensure that vulnerabilities in mobile apps are submitted for the current version. Vulnerabilities in older versions which have since been remedied will be considered invalid.
If demonstrating a vulnerability regarding unauthorized access to a customer account. Please create a second account of your own, do not access accounts of customers who have not consented to this test.
Test Instructions for Hardware Testing
ecobee will not be providing test devices. If any customer or individual finds a vulnerability in an ecobee product, then he or she can safely report the details through this program.
Program Rules
Automated requests/scanning must be kept to 45 requests per minute. You run the risk of a program block/ban if you do not use your h1 email alias and send more than 45 requests per minute when testing.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report may be closed as Informative.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report. All reports after the original will be closed as Duplicate. This includes the same bug being duplicated across several web properties, or between mobile apps.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Self XSS
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
Brute force attacks
Flaws in third-party software for which there are no applicable patches.
Disclosure Policy
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep ecobee and our users safe!
