Logitech
Welcome to Logitech's Vulnerability Disclosure and Bug Bounty Program!
Here at Logitech we are committed to providing secure products and services to our customers. If you believe you have discovered a potential security vulnerability with any of the in-scope Logitech systems, products and/or services, we look forward to receiving your submission, and appreciate your help in disclosing the issue to us responsibly.
This program is dedicated to suspected security issues that may affect Logitech customers, systems, products and/or services. If you're having issues related to your Logitech product or a Logitech-related account, then please visit our Support Center.
Logitech looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.
Please submit a detailed description of the issue, and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers' privacy, data confidentiality, and integrity - we very much value your assistance in preserving those.
Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users' data - in other words, violate this policy.
Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.
Logitech will make a best effort to meet the following SLAs for hackers participating in our program:
Time to first response (from report submit) - 1 business day
Time to triage (from first response) - 1 business day
Time to bounty (from triage) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
We ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers' privacy, data confidentiality, and integrity - we very much value your assistance in preserving those. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users' data - in other words, violate this policy.
Our customers' privacy, data confidentiality, and integrity is crucial at Logitech. You agree that you will not disclose vulnerability information reported to Logitech to any other third party, until granted permission to do so from Logitech. We endeavor to grant such permission within two to four weeks from the release of the fix that addresses the discovered vulnerability.
Follow HackerOne's disclosure guidelines.
Bounties are issued solely at the discretion of Logitech.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
You must disclose all possible ways to exploit an issue in your original report. Logitech will not issue a bounty, follow-on bounty, or bonus if we believe you are abusing the report system by not providing complete information in your initial report.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. This usually requires a working proof-of-concept typically in the form of a clickable link that we can verify. Videos or screenshots are not considered definitive proof.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Denial of service attacks
Password cracking attempts, including but not limited to: brute forcing, rainbow attacks, word list substitution, pattern checking
Clickjacking on pages with no sensitive actions
Attacks requiring takeover of the email or social account authenticating the victim account.
Tab-nabbing on non-user provided links (reports accepted, but not bounty eligible)
Unauthenticated/logout/login CSRF
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration.
Social engineering attacks (including phishing, vishing, smishing)
Software version disclosure
Issues requiring direct physical access to hardware (with the exception of hardware vulnerabilities)
Flaws affecting out-of-date browsers and plugins
Email enumeration / account oracles
CSP Policy Weaknesses
Email Spoofing
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Installer based DLL or EXE side-load attacks must involve a privilege escalation and be functional without requiring repackaging inside of a container format (such as zip or 7z). If they don't meet this requirement, reports will be closed as informative.
For Bounty eligible assets, Logitech's default policy is to award the bounty after a Logitech team member has confirmed the issue during the Triage process. We generally won't wait to award a bounty until the item is fixed as some products have long lead times in deploying fixes. However, we may make an exception to this policy on a report-by-report basis. Bounties are only awarded for actual security or privacy impacting reports.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Logitech and our customers safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.logitech.ueboom |
| android_application | com.logitech.circle |
| android_application | com.streamlabs.slobsrc |
| android_application | com.streamlabs |
| android_application | com.logitech.logue |
| application | Streamlabs Desktop Application PC/MAC |
| application | Logitech Sync |
| application | Logi Tune PC/MAC |
| application | Other Logitech Desktop and Mobile Application |
| application | Harmony Remote Software |
| application | G Hub |
| application | Logitech Options PC/MAC |
| application | Logi Options+ PC/MAC |
| hardware | USB Unifying and LightSpeed Receivers |
| hardware | Circle Cameras |
| hardware | Video Conferencing Products |
| hardware | Harmony Remotes |
| hardware | Presentation Remotes |
| hardware | Logitech Mice & Keyboards |
| hardware | Ultimate Ears Speakers |
| hardware | Other Logitech Hardware/IoT |
| ios_application | 632344648 |
| ios_application | 1018340690 |
| ios_application | 1294578643 |
| ios_application | 1476615877 |
| ios_application | 1456293789 |
| other | Scope Questions: Items not explicitly listed here |
| web_application | circle.logi.com |
| web_application | id.logi.com |
| web_application | accounts.logi.com |
| web_application | *.streamlabs.com |
| web_application | sync.logitech.com |
| web_application | *.challonge.com |
| web_application | partner.logitech.com |
| web_application | *.logitech.com |
| web_application | www.logitech.com |
| web_application | community.logitech.com |
| web_application | *.logitechg.com |
| web_application | www.logitech-partner.com |
| web_application | maintenance.logitech.com |
| web_application | *.jaybirdsport.com |
| web_application | *.ultimateears.com |
| web_application | *.astrogaming.com |
| web_application | *.ultimateearsuniversity.com |
| web_application | *.mysqueezebox.com |
| web_application | *.logitechmusic.com |
| web_application | *.logitechauthorization.com |
| web_application | *.logitech-channel-marketing.com |
| web_application | buy.logitech.com |
| web_application | outage.logitech.com |
| web_application | outagehistory.logitech.com |
| web_application | external.logitech.com |
| web_application | logilife.logitech.com |
| web_application | store.logitech.com.cn |
| web_application | logitech.zendesk.com |
| web_application | *.harmonyremote.com |
| web_application | *.slimdevices.com |
| web_application | support.logi.com |
| web_application | feedback.logitech.com |
| web_application | *.uesmartradio.com |
| web_application | www.logitechstore.com.br |
| web_application | jira.logitech.com |
| web_application | www.logitech.com/my-account |
| web_application | *.myharmony.com |
| web_application | alert.logitech.com |
| web_application | *.lukwerks.com |
| web_application | *.cognitiveperformer.com |
| web_application | *.streamlabscharity.com |
| web_application | *.oslo.io |
| web_application | *.lucra.live |
| web_application | *.melonapp.com |
| web_application | *.logitech.io |
| web_application | *.wlo.link |
| web_application | *.mevo.com |
| web_application | *.logi.com |
| web_application | logitechgchallenge.com |
| web_application | *.crossclip.com |
| web_application | www.logitechclub.com |
| web_application | *vc.logitech.com |
| Scope Type | Scope Name |
|---|---|
| hardware | Squeezebox Products |
| hardware | Logitech Alert Cameras |
| web_application | *.saitekforum.com |
| web_application | *.saitek-fr.com |
| web_application | *.saitek.com |
| web_application | *.wilife.com |
| web_application | *.teambeyond.net |
Firebounty have crawled on 2019-10-30 the program Logitech on the platform Hackerone.
FireBounty © 2015-2024
