Welcome to Logitech's Vulnerability Disclosure Program!
Please note this program does not provide monetary rewards for bug
submissions, and it is used for responsible disclosure purposes only.
Here at Logitech we are committed to providing secure products and services to
our customers. If you believe you have discovered a potential security
vulnerability with any of Logitech's systems, products and/or services, we
look forward to receiving your submission, and appreciate your help in
disclosing the issue to us responsibly.
This program is dedicated to suspected security issues that may affect
Logitech customers, systems, products and/or services. If you're having issues
related to your Logitech product or a Logitech-related account, then please
visit our Support Center .
Logitech looks forward to working with the security community to find security
vulnerabilities in order to keep our business and customers safe.
- Our customers' privacy, data confidentiality and integrity is crucial at Logitech. You agree that you will not disclose vulnerability information reported to Logitech to any other third party. Public disclosure may be allowed upon request, and only after granted written permission to do so from Logitech, through this program. In such cases, we endeavor to grant such permission within four weeks from the release of the fix that addresses the discovered vulnerability.
- Follow HackerOne's disclosure guidelines .
- Please submit a detailed description of the issue, and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers' privacy, data confidentiality, and integrity - we very much value your assistance in preserving those. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users' data - in other words, violate this policy.
Upon receipt of your report, we endeavor to review and address any security
issues in a timely manner. We will communicate with you during our
investigation and upon resolution, as needed, and will try to keep you
informed about our progress throughout the process.
- Please provide detailed reports with reproducible steps.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only recognize as valid the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue are considered one issue.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
- Denial of service attacks
- Password cracking attempts, including but not limited to: brute forcing, rainbow attacks, word list substitution, pattern checking
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout/login CSRF
- Attacks requiring MITM or physical access to a user's device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration.
- Social engineering attacks (including phishing, vishing, smishing)
- Software version disclosure
- Issues requiring direct physical access to hardware (with the exception of hardware vulnerabilities)
- Flaws affecting out-of-date browsers and plugins
- Email enumeration / account oracles
- CSP Policy Weaknesses
- Email Spoofing
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Logitech Alert desktop and mobile software is out of scope, but Logitech Alert cloud services are in scope.
- Installer based DLL or EXE side-load attacks must involve a privilege escalation and be functional without requiring repackaging inside of a container format (such as zip or 7z). If they don't meet this requirement, reports will be closed as informative.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for helping keep Logitech and our customers safe!
Firebounty have crawled on 2019-10-30 the program Logitech VDP on the platform Hackerone.