Banner object (1)

Hack and Take the Cash !

815 bounties in database
  Back Link to program      
06/08/2019
ecobee logo
Thanks
Gift
Hall of Fame
Reward

ecobee

About

We make wi-fi enabled smart thermostats for residential and commercial applications that are intuitive to use and beautiful to look at. We help you maximize comfort and savings without compromising your lifestyle.

Story

Before founding ecobee in 2007, Stuart Lombard was on a mission to reduce his family’s carbon footprint and save money. He found a lot of ways to conserve energy but most were complex and costly. However, he discovered that heating and cooling made up the majority of his home energy use. So, he tried a programmable thermostat. It turned out to be really complicated, even for someone with an engineering degree. And, unreliable. When Stuart and his family came home one winter day to find their house freezing, they'd had enough. He knew there had to be a better way and decided to build his own thermostat. A truly smart thermostat, that was easy to install, smart enough to deliver comfort, conserving energy and pay for itself in energy savings. That day, ecobee was born.

Reporting Criteria

Failure to meet these criteria will most likely result in an Informative or NA report:

  • Must include steps to reproduce the vulnerability
  • Must include a working Proof of Concept
    • NO: "Leaked keys"
    • YES: PoC showing how the leaked keys are used to gain access ...

Response Targets

We do not work on weekends - please be patient. If we require additional information from you, please allow for another 2-3 days for our team to review and respond.

Response Target | Time (in business days)
---|---
First response (from report submit) | 2 days
Triage (from report submit) | 2 days
Resolution | Depends on severity and complexity

Test Instructions for Application Testing

  • You MUST use your HackerOne email alias when registering for an ecobee account
  • You must ensure that vulnerabilities in mobile apps are submitted for the current version. Vulnerabilities in older versions which have since been remedied will be considered invalid.
  • If demonstrating a vulnerability regarding unauthorized access to a customer account. Please create a second account of your own, do not access accounts of customers who have not consented to this test.

Test Instructions for Hardware Testing

  • ecobee will not be providing test devices. If any customer or individual finds a vulnerability in an ecobee product, then he or she can safely report the details through this program.

Program Rules

  • Automated requests/scanning must be kept to 45 requests per minute. You run the risk of a program block/ban if you do not use your h1 email alias and send more than 45 requests per minute when testing.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report may be closed as Informative.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only triage the first report. All reports after the original will be closed as Duplicate. This includes the same bug being duplicated across several web properties, or between mobile apps.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Self XSS
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
  • Brute force attacks
  • Flaws in third-party software for which there are no applicable patches.

Disclosure Policy

  • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne's disclosure guidelines __.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep ecobee and our users safe!

In Scope

Scope Type Scope Name
android_application

com.ecobee.athenamobile

android_application

com.ecobee.emsmobile

ios_application

572987124

ios_application

916985674

web_application

sb.ecobee.com

web_application

ls-api.ecobee.com

web_application

ls.ecobee.com

web_application

home.ecobee.com

web_application

eva.ecobee.com

web_application

es.ecobee.com

web_application

api.ecobee.com

web_application

www.ecobee.com/home

web_application

admin.ecobee.com

web_application

sb-auth.ecobee.com

web_application

www.ecobee.com/consumerportal

web_application

home.hm-prod.ecobee.com

web_application

api.beta.ecobee.com

web_application

beehive.ecobee.com

web_application

home-fw.hm-prod.ecobee.com

web_application

ls-fw.ecobee.com

web_application

vpn.ecobee.com

web_application

rebatefinder.ecobee.com

web_application

teleport.ecobee.com

web_application

grafana.infra.ecobee.com

web_application

ssp.ecobee.com

web_application

stg.chronos.ecobee.com

web_application

lofn.ecobee.com

web_application

files.ecobee.com

web_application

www.ecobee.com

web_application

capture.ecobee.com

web_application

content.ecobee.com

web_application

terra.ecobee.com

web_application

developer.beta.ecobee.com

web_application

rebatefinder-stage.ecobee.com

web_application

beta.ecobee.com

web_application

metrics.ls-dev.ecobee.com

web_application

web.cw-dev.ecobee.com

web_application

home-fw.hm-stage.ecobee.com

web_application

schedulepilot.labs.ecobee.com

web_application

rebatefinder-dev.ecobee.com

web_application

utilities.ecobee.com

web_application
  • Automated requests/scanning must be kept to 45 requests per minute.
web_application
  • You MUST use your h1 email alias as your test account.
web_application
  • Automated requests/scanning must be kept to 45 requests per minute.
web_application
  • You MUST use your h1 email alias as your test account.
web_application
  • Automated requests/scanning must be kept to 45 requests per minute.
web_application
  • You MUST use your h1 email alias as your test account.
web_application
  • Automated requests/scanning must be kept to 45 requests per minute.
web_application
  • You MUST use your h1 email alias as your test account.
web_application
  • Automated requests/scanning must be kept to 45 requests per minute.
web_application
  • You MUST use your h1 email alias as your test account.
web_application
  • Automated requests/scanning must be kept to 45 requests per minute.
web_application
  • You MUST use your h1 email alias as your test account.

Out of Scope

Scope Type Scope Name
web_application

confluence.ecobee.com

web_application

lyncdiscover.ecobee.com

web_application

payments.ecobee.com

web_application

shop.ecobee.com

web_application

stage.ecobee.com

web_application

status.ecobee.com

web_application

support.ecobee.com

web_application

vibee.ecobee.com

web_application

email.ecobee.com

web_application

graylog.ecobee.com

web_application

help.ecobee.com

web_application

labs.ecobee.com

web_application

learning.ecobee.com

web_application

austinenergy.ecobee.com

web_application

cdn01.ecobee.com

web_application

ls-staging.ecobee.com

web_application

snipeit.ecobee.com

web_application

duo.ecobee.com


Firebounty have crawled on 2019-08-06 the programe ecobee on the platform Hackerone.

FireBounty © 2015-2019

Legal notices