|Scope Type||Scope Name|
|android_application||Nighthawk Android App|
|android_application||Orbi Android App|
|android_application||Insight Android App|
|ios_application||Nighthawk iOS App|
|ios_application||Orbi iOS App|
|ios_application||Insight iOS App|
|undefined||Nighthawk Pro Gaming Router|
|undefined||Nighthawk Pro Gaming Switch|
|undefined||Insight Managed Smart Cloud Wireless Access Point|
|web_application||Insight Cloud Portal|
NETGEAR’s mission is to be the innovative leader in connecting the world to the internet. To achieve this mission, we must earn and maintain our customers’ trust by protecting the privacy and security of their data.
This program encourages and rewards contributions by developers and security researchers who help make NETGEAR’s products more secure. NETGEAR provides monetary rewards and kudos for qualifying vulnerability submissions to this program. For submissions outside the scope of this program NETGEAR rewards Kudos points. Please click on the following link to the NETGEAR Kudos Rewards Program.
Arlo products have their own Bug Bounty program. Please click the following link to the Arlo Cash Rewards Program.
Only the following products are eligible for cash rewards:
Product | Firmware | Web Management | Client Apps | Cloud Infrastructure
Nighthawk Pro Gaming Routers | X | X | X |
Nighthawk Pro Gaming Switches | X | X | X |
Nighthawk Routers | X | X | X |
Nighthawk Switches | X | X | X |
Orbi | X | X | X |
Insight Managed Smart Cloud Wireless Access Points | X | X | X | X
Only the vulnerabilities found in the latest version of the above are eligible. To find the latest version, search by model number at NETGEAR Support. Targets listed below denote Cloud Infrastructure that support in-scope devices and are included in scope:
Target name | Type
Nighthawk Pro Gaming Router | IoT
Nighthawk Pro Gaming Switch | IoT
Nighthawk Router | IoT
Nighthawk Switch | IoT
Nighthawk iOS App | iOS
Nighthawk Android App | Android
Orbi | IoT
Orbi iOS App | iOS
Orbi Android App | Android
Insight Managed Smart Cloud Wireless Access Point | IoT
<https://api.netgear.com> | API
Insight iOS App | iOS
Insight Android App | Android
<https://updates.netgear.com> | Website
Insight Cloud Portal | Website
Testing is only authorized on the targets listed as In-Scope. Any domain/property of NETGEAR not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
The NETGEAR Product Security team, at their sole discretion, determine the nature and impact of the vulnerabilities disclosed including, but not limited to, leveraging CVSS rating methodology to identify the appropriate payouts.
The first valid submission to alert NETGEAR of a previously unknown issue qualifies for reward. Reward guidelines are based on the default configuration of devices, where applicable. NETGEAR builds products using a common platform and framework. Multiple products sometimes inherit the same vulnerability. When determining bounty rewards, NETGEAR grants a single reward that accounts for all affected products.
Priority | Reward ($)
P1 | $1,200
P2 | $600
P3 | $300
P4 | $150
Note: NETGEAR uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, NETGEAR will defer to the CVSS score to determine the priority.
NETGEAR rewards eligible submissions to researchers who report a vulnerability (or series of vulnerabilities) that demonstrably leads to one or more of the following results. NETGEAR includes all products and services in scope for these rewards. Cash Rewards will be awarded based on the following:
Remote Unauthorized Access to full NETGEAR customer database. Same vulnerability submission is not allowed for different model.
In addition to these Terms and Conditions regarding the NETGEAR Responsible Disclosure Program (the "Program"), there may be additional restrictions depending upon applicable local laws.
NETGEAR RESERVES THE RIGHT TO MODIFY OR CANCEL THE NETGEAR RESPONSIBLE DISCLOSURE PROGRAM AT ANY TIME WITHOUT NOTICE. ALL PARTICIPANTS AND SUBMISSIONS ARE STRICTLY VOLUNTARY. THIS OFFER IS VOID WHERE PROHIBITED BY LAW AND IN PARTICIPATING, YOU MUST NOT VIOLATE ANY LAW. YOU ALSO MUST NOT DISRUPT ANY SERVICE OR COMPROMISE ANYONE’S DATA.
This bounty follows Bugcrowd’s Public Disclosure Policy.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.