Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
06/08/2019
ecobee logo
Thanks
Gift
Hall of Fame
Reward

In Scope

Scope Type Scope Name
android_application com.ecobee.athenamobile
android_application com.ecobee.emsmobile
hardware ecobee will not be providing test devices. If any customer or individual finds a vulnerability in an ecobee product, then he or she can safely report the details through this program.
hardware ecobee will not be providing test devices. If any customer or individual finds a vulnerability in an ecobee product, then he or she can safely report the details through this program.
hardware ecobee will not be providing test devices. If any customer or individual finds a vulnerability in an ecobee product, then he or she can safely report the details through this program.
ios_application 572987124
ios_application 916985674
web_application ls-api.ecobee.com
web_application ls.ecobee.com
web_application home.ecobee.com
web_application eva.ecobee.com
web_application api.ecobee.com
web_application home.hm-prod.ecobee.com
web_application api.beta.ecobee.com
web_application beehive.ecobee.com
web_application home-fw.hm-prod.ecobee.com
web_application ls-fw.ecobee.com
web_application vpn.ecobee.com
web_application rebatefinder.ecobee.com
web_application teleport.ecobee.com
web_application grafana.infra.ecobee.com
web_application ssp.ecobee.com
web_application stg.chronos.ecobee.com
web_application lofn.ecobee.com
web_application files.ecobee.com
web_application www.ecobee.com
web_application capture.ecobee.com
web_application content.ecobee.com
web_application terra.ecobee.com
web_application developer.beta.ecobee.com
web_application rebatefinder-stage.ecobee.com
web_application beta.ecobee.com
web_application metrics.ls-dev.ecobee.com
web_application web.cw-dev.ecobee.com
web_application home-fw.hm-stage.ecobee.com
web_application schedulepilot.labs.ecobee.com
web_application rebatefinder-dev.ecobee.com
web_application utilities.ecobee.com
web_application Automated requests/scanning must be kept to 45 requests per minute.
web_application You MUST use your h1 email alias as your test account.
web_application Automated requests/scanning must be kept to 45 requests per minute.
web_application You MUST use your h1 email alias as your test account.
web_application Automated requests/scanning must be kept to 45 requests per minute.
web_application You MUST use your h1 email alias as your test account.
web_application Automated requests/scanning must be kept to 45 requests per minute.
web_application You MUST use your h1 email alias as your test account.
web_application Automated requests/scanning must be kept to 45 requests per minute.
web_application You MUST use your h1 email alias as your test account.
web_application Automated requests/scanning must be kept to 45 requests per minute.
web_application You MUST use your h1 email alias as your test account.

Out of Scope

Scope Type Scope Name
web_application confluence.ecobee.com
web_application lyncdiscover.ecobee.com
web_application payments.ecobee.com
web_application shop.ecobee.com
web_application stage.ecobee.com
web_application status.ecobee.com
web_application support.ecobee.com
web_application vibee.ecobee.com
web_application email.ecobee.com
web_application graylog.ecobee.com
web_application help.ecobee.com
web_application labs.ecobee.com
web_application learning.ecobee.com
web_application austinenergy.ecobee.com
web_application cdn01.ecobee.com
web_application ls-staging.ecobee.com
web_application snipeit.ecobee.com
web_application duo.ecobee.com

ecobee

About

We make wi-fi enabled smart thermostats for residential and commercial applications that are intuitive to use and beautiful to look at. We help you maximize comfort and savings without compromising your lifestyle.

Story

Before founding ecobee in 2007, Stuart Lombard was on a mission to reduce his family’s carbon footprint and save money. He found a lot of ways to conserve energy but most were complex and costly. However, he discovered that heating and cooling made up the majority of his home energy use. So, he tried a programmable thermostat. It turned out to be really complicated, even for someone with an engineering degree. And, unreliable. When Stuart and his family came home one winter day to find their house freezing, they'd had enough. He knew there had to be a better way and decided to build his own thermostat. A truly smart thermostat, that was easy to install, smart enough to deliver comfort, conserving energy and pay for itself in energy savings. That day, ecobee was born.

Reporting Criteria

Failure to meet these criteria will most likely result in an Informative or NA report:

  • Must include steps to reproduce the vulnerability
  • Must include a working Proof of Concept
    • NO: "Leaked keys"
    • YES: PoC showing how the leaked keys are used to gain access ...

Response Targets

We do not work on weekends - please be patient. If we require additional information from you, please allow for another 2-3 days for our team to review and respond.

Response Target | Time (in business days)
---|---
First response (from report submit) | 2 days
Triage (from report submit) | 2 days
Resolution | Depends on severity and complexity

Test Instructions for Application Testing

  • You MUST use your HackerOne email alias when registering for an ecobee account
  • You must ensure that vulnerabilities in mobile apps are submitted for the current version. Vulnerabilities in older versions which have since been remedied will be considered invalid.
  • If demonstrating a vulnerability regarding unauthorized access to a customer account. Please create a second account of your own, do not access accounts of customers who have not consented to this test.

Test Instructions for Hardware Testing

  • ecobee will not be providing test devices. If any customer or individual finds a vulnerability in an ecobee product, then he or she can safely report the details through this program.

Program Rules

  • Automated requests/scanning must be kept to 45 requests per minute. You run the risk of a program block/ban if you do not use your h1 email alias and send more than 45 requests per minute when testing.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report may be closed as Informative.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only triage the first report. All reports after the original will be closed as Duplicate. This includes the same bug being duplicated across several web properties, or between mobile apps.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Self XSS
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
  • Brute force attacks
  • Flaws in third-party software for which there are no applicable patches.

Disclosure Policy

  • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne's disclosure guidelines __.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep ecobee and our users safe!

FireBounty © 2015-2019

Legal notices