SmartThings takes the security of our systems seriously, and we value our relationship with our customers and the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
We require that all researchers:
- Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below; and
- Use the identified communication channels to report vulnerability information to us; and
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive and will not consider:
- Personally identifiable information (PII)
- Credit card holder data
- Out of scope issues
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly;
Scope & Reporting a Security Vulnerability
SmartThings has partnered with BugCrowd to help security researchers and our users test for, and alert our security team to, discovered vulnerabilities. The BugCrowd platform allows us to host, triage, and respond to reports in an efficient and effective manner, helping SmartThings continuously improve the security of our products.
To get started:
- Register on BugCrowd platform at https://bugcrowd.com/user/sign_up
- Read through our program rules at https://bugcrowd.com/smartthings and get started!