Reporting Security Issues
At Adafruit, we understand that security is essential in maintaining the trust you place in us to provide products and services to you. Although our team works vigilantly to help keep customer information secure, we recognize the important role that security researchers and our user community play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or service, we ask for your help in disclosing it to us in a responsible manner.
If you discover a site vulnerability or are a customer who is concerned your account has been compromised, please notify us via [email protected]. We encourage you to encrypt sensitive information; please see below for our public PGP key. For verified vulnerabilities and bugs, we may offer certain rewards for your smarts and efforts at our discretion as a thank you (such as store credit and Adafruit gear!).
To researchers who have reported valid security vulnerabilities can opt to be added to our hall of fame listed here in the "Hall of Fame": https://www.adafruit.com/responsibledisclosurethanks/
When reaching out to us, please include:
- A detailed summary of the issue, including a list of steps for how we can reproduce it.
- Correct contact information, such as an email address, by which we can reach you in case we need more information.
- Whether and how you would like us to identify you in our "Hall of Fame".
We believe in placing our users' interests first. We believe that responsible disclosure involves privately notifying us of any security vulnerabilities, and allowing us appropriate time to diligently address the vulnerabilities before making full disclosure to the public. For our part, while we are working on addressing the vulnerability, we will advise customers of potential risk if appropriate where it does not increase the overall risk to customers. We will do our best to notify you as soon as the vulnerability has been addressed and ask that you do not disclose it publicly or share it with others until then.
We appreciate these types of research activities, but will not tolerate any actions that put our users at risk:
- Do not attempt to access, modify, destroy, or disclose our users' information.
- Do not attempt to deface or degrade our services.
- Do not violate applicable law.
Reporting your vulnerability
- Submissions must include written instructions for reproducing the vulnerability.
- If reporting vulnerabilities as a video, we ask you to not post POCs publicly without our consent to video-sharing sites such as Youtube, Vimeo . In the case that you need to share a video please ensure it is password protected.
- We ask you do not publicly disclose your submission until Adafruit has evaluated the impact.
The combined contributions of all security professionals in our community are essential to keeping us all secure. We thank everyone in the community for their efforts.
IoT devices used by a 3rd party.
New user email - Registered users are not required to validate their email address by default.
Public Wishlists - Wishlists are private by default, users must choose to make list public.
$25 to $50 via PayPal and/or store credit = CVSS Score 0.0 - 6.5
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS, DOM & Reflected)
- Server Side Request Forgery (SSRF)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Directory Traversal
- IDOR (Privilege Escalation)
$100 to $150 via PayPal and/or store credit = CVSS Score 6.5 - 10.0
- SQL injections
- Privilege Escalations
- Code Executions
- Cross-Site Scripting (Stored)
- File inclusions (Local & Remote)
- Authentication Bypasses
- Leakage of sensitive data
- Payment manipulation
- Administration portals without authentication mechanism
- Open redirects which allow stealing tokens/secrets
OUT OF SCOPE VULNERABILITIES
- Captcha related.
- Social Engineering attacks.
- Outdated OS/browser vulnerabilities.
- Man in the Middle (MiTM) attacks.
- Denial of Service.
- Generic output from scanning tools (software version, missing security headers, etc).
- Missing SPF records.
- Brute force attacks compromising existing users.
- We do not consider XMLRPC in itself a vulnerability. XMLRPC specific methods such as pingback and getUsersBlogs are disabled therefore out of scope. We will review reports for other methods.
- The CircuitPython AWS S3 bucket is intentionally left public.The reported bucket https://adafruit-circuit-python.s3.amazonaws.com is our public s3 bucket for people to use with our SAMD21 boards. This is public knowledge as stated in our tutorial which was published December 2018 which is why the library reports dating that far back.
- User's AIO (adafruit.io) keys on Github not part of our internal team/use. Adafruit IO keys (AIO KEY) belonging to users are considered a 3rd party and not in scope as these are independent IoT projects.
Only one reward per bug.
Rewards over the listed amount are at our discretion.
PGP key information:
We encourage you to encrypt sensitive information you send to us as a part of your vulnerability disclosure. You can use our PGP key to send us sensitive information via [email protected]:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: Mailvelope v1.5.2 Comment: https://www.mailvelope.com xsFNBFgSGh4BEAC6kp+TCD0FzzhhPtsRdZ7cdfFKSYtvxWitNdn54+UhppUE xqavNGaSuz5jbMqojz2INWL8m0I7H8kA8NHYq4nhTtqIOh0C//7u/mKDy88j j2nDFvKoT9n01j3mfQzWUAfVaMJ1OdKh5+oupELw1zqxFGy1COKKmMAjmM9L HmkL2Y6cXGqgLK8IbuoYZ87MUzAAI6jrASCn4llf1F+g/Qqoh3uqt0D7OCij SbVksMo1roqo6qJlNq/q8gtp5cqYiYb56bpSwd7uQCwhEA3VuqpedkIvgEQk E80VLBD+L9MuLQxzaU9MyNxWH+pr2rTmffcrKSf8S1cpXZsR4Gcom90riXK8 YYLIC5EtZV8aQNQ621WwifkRhsUuQL8VWEzGp4eccgQlmx/4HHyFCONwB3Fm ewiTehKT+ZfEuFXGjKij4XUgoO28zlDVEtwr9b3xOg2jYlfE9KAnY29uqZx0 bDlgpysWgwdnjgFwHbdpp/0khDfxKtlpxoF6jTng6vLpRknmZW26FDYh45kK 9rwxlMDNuKzeNJI/jWotaKb1vFx1KtwvOlvZ93kPua9XkgvWvc1qfC4QI6V8 UzSpV6Mfzcjz8gh1UwCrXXqph2TOpMXPzElAJXAf44h1UgsJpbyOngl4xWb1 Xi+QMF1f5VTzmvvETmnBAiNncN6stv8lv7pogwARAQABzS5BZGFmcnVpdCBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBhZGFmcnVpdC5jb20+wsF1BBABCAAp BQJYEhoiBgsJCAcDAgkQy2Xcle98YS0EFQgCCgMWAgECGQECGwMCHgEAAFJ+ EACw//CCx9juEt7kLY87RX7U1cqMmXdKFHBco4XumBHufjXKCHClX//enggj bWiaN/YZozQkKZfkcAey0IY70166EAPUzcZwzqX4ZSI7F/Er0WHr07pLa1aF QWslVL2e3CWfTM2k6PjgC8puvcooK2J/Y1cRn33w0NcDZJJQ9uk/npd0/xzD AFWRU6kbPoGa1AJ7mGbKJbx0aYnShqiVSCDBYI0F/bHB0IoRJ8EEDbmqbVhQ kaKjIKFaDLW16jyyQF32bMDaVywtw7ce9liS0bq98x/TnN9te1S5ZV4Y3x+i xUQG15w66uhhjyfu6D6/n8MwLf23hIeqZd5e1pSynvAMoveZd73zuYNfozO6 U9Scq/azkbOVXTO69F1MUVY81KEa0E9VAgEBPPaEwdC5dOEpQQoBfiC3oWRr rOmKvGdCE/MLsBvh39IbToeNSBAcPPJIg7HVGzkiv4FZyHWQnoLBYk+zvpM3 AV+yzxHicm/r+n1HoDVT4Gr64fuzEalgiCkfuBdTaA1Keu8uXrb8aps6MgLP d+IBYWYSfLG3gcqugiGRGpuqUDkIcf4PbQB4PxGKAIvVmTRY9uE5r34W24/p kYOBoLfAm5UKZ/0kT8Zh0yV0YLYzXjdxojBqoZNIUXz01oZdQ4yzjhlZpjb8 cd28eS0G0EwR7SsM3rm81wd2ec7BTQRYEhoeARAA83O4nNHuyFx2C+mHvdgv Qr4g/uYHog+vYYy0oQBFPGmuGwZ+y3ooPMSbcpcmurh+0aBnkZToimubm/Ip CXcJ28o6RH2KIPX0X6Q2HsWNAM6BVBWCezajDRxcIjL2DQHSoot0jovHq7Jt 3VjxCfm/OJyLkPoi2NHg4PJ7Be5bPOX1qyj0k/caRFKQxzvCARe4zWn9Pe7Y Yt+e1dMWzy4NDmz8BjKCkng4xM1Nc7/2/SYdbvngEWyhOWrLScttK5h85sx8 V2sWYxC7S5CPLRZRBteU+gMUmE2k6hDZIPWA/icLXwcFjtIArZWAjYix85EE 5d0U1Dkjr6SAt7FolPrVHFxe3jII50PhlE/3bWnQlQJL5ndJfOs9957Kvf0N IqtzmDtzNTqrD1XWT6mrxssFcoxjgpBzsw3QXzGcm7C/Mbtzq63eRk4qt5iy KeB/jZm/IhHMMyhJEIHK9kGu5GRji5Q/Ypql3qAjwAz49UzHvGuBnkAjbQLG WTDzje/vxTQDaG43eEfyBg3qTE4vcMWZVJm1MMURkblZqFVoZUVBpdr4Pqfz +vYTxPDZGCdRHs4qv07tu4kcGemyqyanoMmzjLYmWXedQmdUwT7UT7vrCeS2 A7HPJUPl7MUaBcI6UxU9Lo1Dz1skqOpclPG2D3YfCG4fhy3EEVmCsl7QIPxh MqEAEQEAAcLBXwQYAQgAEwUCWBIaJAkQy2Xcle98YS0CGwwAADfpD/9c/5el kFAZTTcc1zqqvVYsLEf6alq8Jc7umoD+fQKkvHnZPzPnInvb4dOcywfBTq75 qW6xzfhG/xOWFvoMNZEiVeR01sHzLDxyjwHtneEovw/L8W3375r3d/K7aMu3 E7ib/4eTNyts4A1VQfHah8+g6DkSCNzvPGjlWZE2SejMk2XDG+umlzGAWG+I xlraf4o+5ayE+O36CEyodALf1zkmG0VWVqEaLByGiwhZMoSH57Dh5vwxPm6B fDBhg5FSfrPkU6E/c0VEuAz8g3zzvLkrDIgDDcKO5S6l1IXrgWsosWj2bjFI KgMWPWq834IRNe5kQMy+ZBRpxJG0X11b5yQJVSI0d0nuGwvppWVk8l4UkIHp CNL2fSjHWI7BO7YdUilwa+9OeW7cMPyt78nFxrd4hARocOIY3OBCuBeiv9FX 7rpWtCphgmeRscBtGsOO8GGXhOW2TTpyusPsyT0KSfkCy3/GlMhAHf141xBZ 4Zg8M2upB1Zfwz3lvfnalAY+/xPW9XQEHr6rdZog7wNFlMx2rZz9Zoi7K3cY cF3hDsi+AbT6NrJcWo6cgUz8EVkMYrEEUd+X4cqA9nCC2w8eMxo1cPghKHNT oR9LijUkJBFZPFKRsbG2PDp3gcLw1QTNjTHDYFREbJKjfAmWbyyZqzAG067+ gb3Sv+T9pF74xfyyrw== =yfgW -----END PGP PUBLIC KEY BLOCK-----
Keeping Your Account Protected - November 2016.
A GitHub repository was public-viewable - March 2022.