Vulnerability Disclosure Programme
April 19, 2024
This is a responsible disclosure programme without bounties.
By participating in this programme, you agree to:
Respect the Code of Conduct
Respect the Scope of the programme
Not to discuss or disclose vulnerability information without prior written consent.
Code of Conduct
Informers should:
Always act responsibly, with good faith and exercising reasonable care, for the sole purpose of reporting suspected vulnerabilities to help ensure a safer cyberspace. Where and when possible, igloocompany’s permission should be obtained before performing any actions, especially actions that may adversely affect the systems and/or users.
Refrain from disclosing information about the vulnerability to any third parties or the public before igloocompany have had sufficient time to develop and implement solutions to mitigate or eliminate the vulnerability. Informers may come across personal, sensitive and/or confidential information.
Ensure that their actions do not compromise the confidentiality of any such information, including by creating unauthorised reproductions of the information or by disclosing the information to unauthorised persons.
Be deliberate and take due care when performing actions pertaining to assessing a vulnerability. This includes ensuring that the actions do not compromise the availability of systems and services, and avoiding actions that are not strictly necessary for the purposes of assessing, testing, or evaluating the security of the systems and services in order to ensure or safeguard their security. In particular, Informers should not use disruptive or destructive means to find vulnerabilities, including attacks on physical security, social engineering, denial of service, spam, brute force, or third party hacking/scanner applications to target websites.
Comply with all applicable laws. You are advised to seek and obtain professional legal advice if you have any doubt about the scope and application of any law.
Provide adequate information on the reported vulnerability and work with igloocompany to validate the suspected vulnerability, including these details (where available):
Description of the suspected vulnerability
Product(s)/Service(s) affected, along with the model or software versions
IP address and/or URL of the subject service (if applicable)
Description of the methods and circumstances, including date(s) and time(s) leading to your discovery of the suspected vulnerability
Description of the reason(s) why you believe the suspected vulnerability may impact the subject product/service and the extent of potential impact (e.g. describe how you believe the suspected vulnerability might potentially be exploited). You may also include the Common Vulnerability Scoring System (CVSS) calculations, possible attack scenarios, or required conditions for exploitation
Any other relevant information such as network packet captures, crash reports, video recording or screenshots providing evidence of codes or commands that were used in the discovery of the suspected vulnerability
Safe harbour for researchers is applied
When conducting vulnerability research within the terms of this programme, we consider such research to be authorised by us.
Igloocompany will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will we file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.
If legal action is initiated by a third party against you and you have complied with the scope of the programme, Igloocompany will take steps to make it known that your actions were conducted in compliance and with our approval.
In-Scope
Domains
*.igloocompany.co
*.igloohome.co
*.iglooworks.co
Software
com.igloo.home (Android)
co.iglooworks.app (Android)
co.igloodeveloper.app (Android)
igloohome/id1026667345 (Apple)
iglooworks/id1475439033 (Apple)
igloodeveloper/id1537075568 (Apple)
Firmware
All out-of-box firmware
Hardware
All out-of-box hardware
Introduction
At igloocompany, we take your data, privacy and security seriously. Hence, we strive to achieve the highest level of security to secure your home and personal data. Despite the utmost care we take, vulnerabilities may remain. If you have identified a security vulnerability, we respectfully request you not to abuse it, but to report it to us so we can take actions to better ourselves.
We would like to engage with researchers like you to better protect our services against bad actors and to remediate vulnerabilities as soon as possible.
This programme is not an invitation to actively scan our systems for potential vulnerabilities.
Out of Scope
Any root domain that is not listed in the Domains section, is out of scope for this programme
Applications
API key disclosure without proven business impact
Pre-Auth Account takeover/OAuth squatting
Self-XSS that can't be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Cross-site Request Forgery with no or low impact
Presence of autocomplete attribute on web forms
Reverse tabnabbing
Bypassing rate-limits or the non-existence of rate-limits.
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking without proven impact/unrealistic user interaction
CSV Injection
Sessions not being invalidated (logout, enabling 2FA, etc.)
Anything related to email spoofing, SPF, DMARC or DKIM
Content injection without being able to modify the HTML
Username/email enumeration
Email bombing
HTTP Request smuggling without any proven impact
Homograph attacks
XMLRPC enabled
Banner grabbing/Version disclosure
Not stripping metadata of files
Same-site scripting
Subdomain takeover without taking over the subdomain
Arbitrary file upload without proof of the existence of the uploaded file
Blind SSRF without proven business impact (pingbacks aren't sufficient)
Host header injection without proven business impact
General
In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
Spam, social engineering and physical intrusion
DoS/DDoS attacks or brute force attacks
Vulnerabilities that only work on software that no longer receive security updates
Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
Reports that state that software is out of date/vulnerable without a proof-of-concept
General lock picking
Severity Assessment
Igloocompany uses the CVSS v3 industry standard as a baseline for severity scoring.
Reporting Procedure
You can email us at responsible-disclosure@igloohome.co
Please ensure you provide as much detail as possible about your concerns and provide us with contact details (Name, email address or telephone number) so we can contact you to discuss your concerns.
We recommend encrypting sensitive reports with PGP and this public key.
Process
All reports will be acknowledged within 5 working days. The acknowledgement will be sent to the initiator’s email address. If you do not receive the acknowledgement, please resend the email to ensure it is not lost in transit.
Investigation will take place and a response can be expected within 10 working days of email acknowledgement.
Depending on the investigation results, if no action is necessary, we will inform you and state the reason for our decision. However, if action is required from us, we will provide a weekly update to the initiator’s email address until the resolution of the report.