SmartThings lets you easily monitor, control, and secure your home from
anywhere in the world.
This program adheres to the Bugcrowd Vulnerability Rating
Taxonomy for the
prioritization/rating of findings.
This program only awards points for VRT based submissions.
Target name | Type
SmartThings Hub | IoT
SmartThings Mobile Application for iOS | iOS
SmartThings Mobile Application for Android | Android
SmartThings Rest APIs | API
SmartThings Graph Console | Website
Any domain/property of SmartThings not listed in the targets section is out of
scope. This includes any/all subdomains not listed above.
Researchers are encouraged to self provision accounts and/or use any devices
they currently own for testing. When registering, for identification purposes,
please use your @bugcrowdninja.com email address. For more info regarding
@bugcrowdninja email addresses, see
- Connect wirelessly with a wide range of smart devices and make them work together.
- Monitor and control connected devices in your home using a single SmartThings app for iPhone or Android.
- Receive alerts from connected devices when there’s activity in your home.
- Automate connected devices in your home and set them to turn on or off when doors are opened, as people come and go, and much more.
- Manage connected devices in your home with SmartThings Routines for Good Morning, Goodbye, Good Night, and more.
- Control connected devices in your home with voice commands using SmartThings and Amazon Alexa or Google Home.
- Requires an internet-connected Wi-Fi router with an available Ethernet port, SmartThings hub with connecting devices, plus the free SmartThings app for Android (4.1 or later) or iPhone (iOS 9.0 or later).
- All OWASP Top 10 issues pertaining to web and mobile applications
- Non-Self XSS (Self-XSS is out of scope)
- All Injection flaws
- Authentication and authorization flaws
- Remote exploitation of the hub including code execution bugs, overflows, command injection, gaining console/root access etc. (Weakness and security issues in ZigBee/wireless protocol itself is out-of-scope.)
- Sensitive information leakage - oAuth tokens, PII, secrets
- Remote or local bugs exploiting the tester’s own environment (Hub, Mobile App, Sensors and communication to/from these devices) that would allow exploitation of OTHER customer’s data or environment
- All Supporting SmartThings REST APIs (*.api.smartthings.com) used by the mobile apps
- Malicious File Uploads with an exploit PoC
- Third-party libraries used by SmartThings
- TLS related configuration flaws
- Username / email enumeration
- Issues related to password complexity
- DoS/DDoS. Do not flood the cloud API servers with large payloads.
- oAuth expiration, scope
- API Rate Limitations
- Low or informational risk findings
- Password policies (strength, lockout, expiration etc.)
- Leakage of non-secret data like unique identifiers via GET requests is out of scope. Secret data like passwords, access tokens are in scope
- All the vulnerabilities should be reported with a non-malicious exploit/Proof of Concept to determine the impact of the issue. While doing so, please limit the data exposure to a maximum of 5 accounts/queries as applicable.
This program follows Bugcrowd’s standard disclosure
Learn more about Bugcrowd’s VRT.