Banner object (1)

4190 policies in database
  Back Link to program      
Logitech VDP logo
Hall of Fame

Logitech VDP

Welcome to Logitech's Vulnerability Disclosure Program!

Please note this program does not provide monetary rewards for bug submissions, and it is used for responsible disclosure purposes only.

Here at Logitech we are committed to providing secure products and services to our customers. If you believe you have discovered a potential security vulnerability with any of Logitech's systems, products and/or services, we look forward to receiving your submission, and appreciate your help in disclosing the issue to us responsibly.

This program is dedicated to suspected security issues that may affect Logitech customers, systems, products and/or services. If you're having issues related to your Logitech product or a Logitech-related account, then please visit our Support Center .

Logitech looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe.

Disclosure Policy

  • Our customers' privacy, data confidentiality and integrity is crucial at Logitech. You agree that you will not disclose vulnerability information reported to Logitech to any other third party. Public disclosure may be allowed upon request, and only after granted written permission to do so from Logitech, through this program. In such cases, we endeavor to grant such permission within four weeks from the release of the fix that addresses the discovered vulnerability.
  • Follow HackerOne's disclosure guidelines .


  • Please submit a detailed description of the issue, and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers' privacy, data confidentiality, and integrity - we very much value your assistance in preserving those. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users' data - in other words, violate this policy.


Upon receipt of your report, we endeavor to review and address any security issues in a timely manner. We will communicate with you during our investigation and upon resolution, as needed, and will try to keep you informed about our progress throughout the process.

Program Rules

  • Please provide detailed reports with reproducible steps.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only recognize as valid the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue are considered one issue.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Denial of service attacks
  • Password cracking attempts, including but not limited to: brute forcing, rainbow attacks, word list substitution, pattern checking
  • Clickjacking on pages with no sensitive actions
  • Unauthenticated/logout/login CSRF
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Missing best practices in SSL/TLS configuration.
  • Social engineering attacks (including phishing, vishing, smishing)
  • Software version disclosure
  • Issues requiring direct physical access to hardware (with the exception of hardware vulnerabilities)
  • Flaws affecting out-of-date browsers and plugins
  • Email enumeration / account oracles
  • CSP Policy Weaknesses
  • Email Spoofing
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Logitech Alert desktop and mobile software is out of scope, but Logitech Alert cloud services are in scope.
  • Installer based DLL or EXE side-load attacks must involve a privilege escalation and be functional without requiring repackaging inside of a container format (such as zip or 7z). If they don't meet this requirement, reports will be closed as informative.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Logitech and our customers safe!

Firebounty have crawled on 2019-10-30 the program Logitech VDP on the platform Hackerone.

FireBounty © 2015-2020

Legal notices