Vulnerability Disclosure Programme

April 19, 2024

This is a responsible disclosure programme without bounties.

By participating in this programme, you agree to:

Respect the Code of Conduct

Respect the Scope of the programme

Not to discuss or disclose vulnerability information without prior written consent.

Code of Conduct

Informers should:

  • Always act responsibly, with good faith and exercising reasonable care, for the sole purpose of reporting suspected vulnerabilities to help ensure a safer cyberspace. Where and when possible, igloocompany’s permission should be obtained before performing any actions, especially actions that may adversely affect the systems and/or users.

  • Refrain from disclosing information about the vulnerability to any third parties or the public before igloocompany have had sufficient time to develop and implement solutions to mitigate or eliminate the vulnerability. Informers may come across personal, sensitive and/or confidential information.

  • Ensure that their actions do not compromise the confidentiality of any such information, including by creating unauthorised reproductions of the information or by disclosing the information to unauthorised persons.

  • Be deliberate and take due care when performing actions pertaining to assessing a vulnerability. This includes ensuring that the actions do not compromise the availability of systems and services, and avoiding actions that are not strictly necessary for the purposes of assessing, testing, or evaluating the security of the systems and services in order to ensure or safeguard their security. In particular, Informers should not use disruptive or destructive means to find vulnerabilities, including attacks on physical security, social engineering, denial of service, spam, brute force, or third party hacking/scanner applications to target websites.

  • Comply with all applicable laws. You are advised to seek and obtain professional legal advice if you have any doubt about the scope and application of any law.

  • Provide adequate information on the reported vulnerability and work with igloocompany to validate the suspected vulnerability, including these details (where available):

    • Description of the suspected vulnerability

    • Product(s)/Service(s) affected, along with the model or software versions

    • IP address and/or URL of the subject service (if applicable)

    • Description of the methods and circumstances, including date(s) and time(s) leading to your discovery of the suspected vulnerability

    • Description of the reason(s) why you believe the suspected vulnerability may impact the subject product/service and the extent of potential impact (e.g. describe how you believe the suspected vulnerability might potentially be exploited). You may also include the Common Vulnerability Scoring System (CVSS) calculations, possible attack scenarios, or required conditions for exploitation

    • Any other relevant information such as network packet captures, crash reports, video recording or screenshots providing evidence of codes or commands that were used in the discovery of the suspected vulnerability

Safe harbour for researchers is applied

When conducting vulnerability research within the terms of this programme, we consider such research to be authorised by us.

Igloocompany will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will we file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the scope of the programme, Igloocompany will take steps to make it known that your actions were conducted in compliance and with our approval.

In-Scope

Domains

*.igloocompany.co
*.igloohome.co
*.iglooworks.co

Software

com.igloo.home (Android)
co.iglooworks.app (Android)
co.igloodeveloper.app (Android)
igloohome/id1026667345 (Apple)
iglooworks/id1475439033 (Apple)
igloodeveloper/id1537075568 (Apple)

Firmware

All out-of-box firmware

Hardware

All out-of-box hardware 

Introduction

At igloocompany, we take your data, privacy and security seriously. Hence, we strive to achieve the highest level of security to secure your home and personal data. Despite the utmost care we take, vulnerabilities may remain. If you have identified a security vulnerability, we respectfully request you not to abuse it, but to report it to us so we can take actions to better ourselves.

We would like to engage with researchers like you to better protect our services against bad actors and to remediate vulnerabilities as soon as possible.

This programme is not an invitation to actively scan our systems for potential vulnerabilities.

Out of Scope

Any root domain that is not listed in the Domains section, is out of scope for this programme

Applications

  • API key disclosure without proven business impact

  • Pre-Auth Account takeover/OAuth squatting

  • Self-XSS that can't be used to exploit other users

  • Verbose messages/files/directory listings without disclosing any sensitive information

  • CORS misconfiguration on non-sensitive endpoints

  • Missing cookie flags

  • Missing security headers

  • Cross-site Request Forgery with no or low impact

  • Presence of autocomplete attribute on web forms

  • Reverse tabnabbing

  • Bypassing rate-limits or the non-existence of rate-limits.

  • Best practices violations (password complexity, expiration, re-use, etc.)

  • Clickjacking without proven impact/unrealistic user interaction

  • CSV Injection

  • Sessions not being invalidated (logout, enabling 2FA, etc.)

  • Anything related to email spoofing, SPF, DMARC or DKIM

  • Content injection without being able to modify the HTML

  • Username/email enumeration

  • Email bombing

  • HTTP Request smuggling without any proven impact

  • Homograph attacks

  • XMLRPC enabled

  • Banner grabbing/Version disclosure

  • Not stripping metadata of files

  • Same-site scripting

  • Subdomain takeover without taking over the subdomain

  • Arbitrary file upload without proof of the existence of the uploaded file

  • Blind SSRF without proven business impact (pingbacks aren't sufficient)

  • Host header injection without proven business impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate

  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited

  • Spam, social engineering and physical intrusion

  • DoS/DDoS attacks or brute force attacks

  • Vulnerabilities that only work on software that no longer receive security updates

  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts

  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty

  • Reports that state that software is out of date/vulnerable without a proof-of-concept

  • General lock picking

Severity Assessment

Igloocompany uses the CVSS v3 industry standard as a baseline for severity scoring. 

Reporting Procedure

You can email us at responsible-disclosure@igloohome.co

Please ensure you provide as much detail as possible about your concerns and provide us with contact details (Name, email address or telephone number) so we can contact you to discuss your concerns.

We recommend encrypting sensitive reports with PGP and this public key.

Process

  • All reports will be acknowledged within 5 working days. The acknowledgement will be sent to the initiator’s email address. If you do not receive the acknowledgement, please resend the email to ensure it is not lost in transit.

  • Investigation will take place and a response can be expected within 10 working days of email acknowledgement.

  • Depending on the investigation results, if no action is necessary, we will inform you and state the reason for our decision. However, if action is required from us, we will provide a weekly update to the initiator’s email address until the resolution of the report.

To ensure the protection of our customers, we do not publish, discuss or confirm any security issues until we have investigated and resolved the issue, if any, and corresponding security updates are available to all customers.