23541 policies in database
Link to program      
Responsible Disclosure of Security Vulnerabilities - iFixit logo

Responsible Disclosure of Security Vulnerabilities - iFixit


mobile-skeleton-toc { background: white; box-shadow: 0px 1px 4px rgba(16, 22, 26, 0.1), 0px 1px 2px rgba(16, 22, 26, 0.1); height: 83px; } # Responsible Disclosure of Security Vulnerabilities

We're working with the security community to make iFixit safe for everyone.

Reporting security issues

If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

We'll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. If you believe you have discovered a vulnerability or have a security incident to report, please email security@ifixit.com. Please include a detailed summary of the issue you discovered. Be sure to include an email address where we can reach you in case we need more information.

Code of Conduct

Please act in good faith towards our users' privacy and data during your disclosure. When testing for vulnerabilities, please do not insert test code into popular public guides or threads. These guides are used by thousands of people daily, and disrupting their experience by testing for vulnerabilities is harmful.

Please, always make a new guide or ask a new question instead! If those actions are not possible, please delete all guides, comments, and posts when you have completed your testing and reporting.

We won't take legal or administrative action against you or your account if you act accordingly: White hat researchers are always appreciated.

Bug Bounty

We're happy to provide a reward to users who report valid security vulnerabilities. To be eligible for credit and a reward, you must:

  • Be the first person to responsibly disclose the bug.
  • Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure.

Please do report:

  • Persistent Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication
  • Circumvention of our framework's privacy and permission models
  • Remote Code Execution

Please do not report:

  • Outdated versions of Wordpress with no known vulnerabilities
  • Username enumeration
  • Self-XSS
  • Missing DNS SPF records
  • Security problems with subdomains such as createsend.ifixit.com that are operated by third party services

Our security team will assess each bug to determine if it qualifies. We do our best to respond to your reports in a timely manner. We aim to respond within 3 business days, however some reports take longer than others to investigate. We reply only during business hours (9AM-5PM PST, weekdays, excluding holidays). Repeated emails will NOT result in a quicker response, and may bump your report to the end of the queue.


Thank you for your help with keeping the iFixit community safe. We really appreciate it.

Here are people who have responsibly disclosed vulnerabilities in the past:












(function() { var mobileToc = document.getElementById('mobile-skeleton-toc'); if (document.getElementById('sidebar-wiki-toc')) { var headings = document.querySelectorAll('#mainBody [id^="Section_"]'); var pageSidebar = document.getElementById('page-sidebar'); if (headings.length <= 1) { // Must remove elements this way to maintain IE11 support pageSidebar && pageSidebar.parentNode.removeChild(pageSidebar); mobileToc && mobileToc.parentNode.removeChild(mobileToc); } } else { mobileToc && mobileToc.parentNode.removeChild(mobileToc); } document.getElementById('page').classList.remove("invisible"); })(); /mainBody

This program crawled on the 2015-06-30 is sorted as bounty.

FireBounty © 2015-2022

Legal notices