Reporting Security Issues

At Adafruit, we understand that security is essential in maintaining the trust you place in us to provide products and services to you. Although our team works vigilantly to help keep customer information secure, we recognize the important role that security researchers and our user community play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or service, we ask for your help in disclosing it to us in a responsible manner.

If you discover a site vulnerability or are a customer who is concerned your account has been compromised, please notify us via [email protected]. We encourage you to encrypt sensitive information; please see below for our public PGP key. For verified vulnerabilities and bugs, we may offer certain rewards for your smarts and efforts at our discretion as a thank you (such as store credit and Adafruit gear!).

To researchers who have reported valid security vulnerabilities can opt to be added to our hall of fame listed here in the "Hall of Fame": https://www.adafruit.com/responsibledisclosurethanks/

When reaching out to us, please include:

  • A detailed summary of the issue, including a list of steps for how we can reproduce it.
  • Correct contact information, such as an email address, by which we can reach you in case we need more information.
  • Whether and how you would like us to identify you in our "Hall of Fame".

We believe in placing our users' interests first. We believe that responsible disclosure involves privately notifying us of any security vulnerabilities, and allowing us appropriate time to diligently address the vulnerabilities before making full disclosure to the public. For our part, while we are working on addressing the vulnerability, we will advise customers of potential risk if appropriate where it does not increase the overall risk to customers. We will do our best to notify you as soon as the vulnerability has been addressed and ask that you do not disclose it publicly or share it with others until then.

We appreciate these types of research activities, but will not tolerate any actions that put our users at risk:

  • Do not attempt to access, modify, destroy, or disclose our users' information.
  • Do not attempt to deface or degrade our services.
  • Do not violate applicable law.

Reporting your vulnerability

  • Submissions must include written instructions for reproducing the vulnerability.
  • If reporting vulnerabilities as a video, we ask you to not post POCs publicly without our consent to video-sharing sites such as Youtube, Vimeo . In the case that you need to share a video please ensure it is password protected.
  • We ask you do not publicly disclose your submission until Adafruit has evaluated the impact.

The combined contributions of all security professionals in our community are essential to keeping us all secure. We thank everyone in the community for their efforts.

INSCOPE DOMAINS
*adafruit.com
*adafruitdaily.com

NOT INSCOPE
makecode.adafruit.com (Microsoft).
IoT devices used by a 3rd party.
Broken links.
New user email - Registered users are not required to validate their email address by default.
Public Wishlists - Wishlists are private by default, users must choose to make list public.
Account squatting.
Data harvested from the dark web, pastebin, or other breaches.

REWARDS

$25 to $50 via PayPal and/or store credit = CVSS Score 0.0 - 6.5

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS, DOM & Reflected)
  • Server Side Request Forgery (SSRF)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Directory Traversal
  • IDOR (Privilege Escalation)

$100 to $150 via PayPal and/or store credit = CVSS Score 6.5 - 10.0

  • SQL injections
  • Privilege Escalations
  • Code Executions
  • Cross-Site Scripting (Stored)
  • File inclusions (Local & Remote)
  • Authentication Bypasses
  • Leakage of sensitive data
  • Payment manipulation
  • Administration portals without authentication mechanism
  • Open redirects which allow stealing tokens/secrets

OUT OF SCOPE VULNERABILITIES

  • Captcha related.
  • Social Engineering attacks.
  • Outdated OS/browser vulnerabilities.
  • Self-XSS.
  • Man in the Middle (MiTM) attacks.
  • Denial of Service.
  • Generic output from scanning tools (software version, missing security headers, etc).
  • Missing SPF records.
  • Brute force attacks compromising existing users.
  • We do not consider XMLRPC in itself a vulnerability. XMLRPC specific methods such as pingback and getUsersBlogs are disabled therefore out of scope. We will review reports for other methods.
  • The CircuitPython AWS S3 bucket is intentionally left public.The reported bucket https://adafruit-circuit-python.s3.amazonaws.com is our public s3 bucket for people to use with our SAMD21 boards. This is public knowledge as stated in our tutorial which was published December 2018 which is why the library reports dating that far back.
  • User's AIO (adafruit.io) keys on Github not part of our internal team/use. Adafruit IO keys (AIO KEY) belonging to users are considered a 3rd party and not in scope as these are independent IoT projects. 


Only one reward per bug.

Rewards over the listed amount are at our discretion.

PGP key information:

We encourage you to encrypt sensitive information you send to us as a part of your vulnerability disclosure. You can use our PGP key to send us sensitive information via [email protected]:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v1.5.2
Comment: https://www.mailvelope.com

xsFNBFgSGh4BEAC6kp+TCD0FzzhhPtsRdZ7cdfFKSYtvxWitNdn54+UhppUE
xqavNGaSuz5jbMqojz2INWL8m0I7H8kA8NHYq4nhTtqIOh0C//7u/mKDy88j
j2nDFvKoT9n01j3mfQzWUAfVaMJ1OdKh5+oupELw1zqxFGy1COKKmMAjmM9L
HmkL2Y6cXGqgLK8IbuoYZ87MUzAAI6jrASCn4llf1F+g/Qqoh3uqt0D7OCij
SbVksMo1roqo6qJlNq/q8gtp5cqYiYb56bpSwd7uQCwhEA3VuqpedkIvgEQk
E80VLBD+L9MuLQxzaU9MyNxWH+pr2rTmffcrKSf8S1cpXZsR4Gcom90riXK8
YYLIC5EtZV8aQNQ621WwifkRhsUuQL8VWEzGp4eccgQlmx/4HHyFCONwB3Fm
ewiTehKT+ZfEuFXGjKij4XUgoO28zlDVEtwr9b3xOg2jYlfE9KAnY29uqZx0
bDlgpysWgwdnjgFwHbdpp/0khDfxKtlpxoF6jTng6vLpRknmZW26FDYh45kK
9rwxlMDNuKzeNJI/jWotaKb1vFx1KtwvOlvZ93kPua9XkgvWvc1qfC4QI6V8
UzSpV6Mfzcjz8gh1UwCrXXqph2TOpMXPzElAJXAf44h1UgsJpbyOngl4xWb1
Xi+QMF1f5VTzmvvETmnBAiNncN6stv8lv7pogwARAQABzS5BZGFmcnVpdCBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBhZGFmcnVpdC5jb20+wsF1BBABCAAp
BQJYEhoiBgsJCAcDAgkQy2Xcle98YS0EFQgCCgMWAgECGQECGwMCHgEAAFJ+
EACw//CCx9juEt7kLY87RX7U1cqMmXdKFHBco4XumBHufjXKCHClX//enggj
bWiaN/YZozQkKZfkcAey0IY70166EAPUzcZwzqX4ZSI7F/Er0WHr07pLa1aF
QWslVL2e3CWfTM2k6PjgC8puvcooK2J/Y1cRn33w0NcDZJJQ9uk/npd0/xzD
AFWRU6kbPoGa1AJ7mGbKJbx0aYnShqiVSCDBYI0F/bHB0IoRJ8EEDbmqbVhQ
kaKjIKFaDLW16jyyQF32bMDaVywtw7ce9liS0bq98x/TnN9te1S5ZV4Y3x+i
xUQG15w66uhhjyfu6D6/n8MwLf23hIeqZd5e1pSynvAMoveZd73zuYNfozO6
U9Scq/azkbOVXTO69F1MUVY81KEa0E9VAgEBPPaEwdC5dOEpQQoBfiC3oWRr
rOmKvGdCE/MLsBvh39IbToeNSBAcPPJIg7HVGzkiv4FZyHWQnoLBYk+zvpM3
AV+yzxHicm/r+n1HoDVT4Gr64fuzEalgiCkfuBdTaA1Keu8uXrb8aps6MgLP
d+IBYWYSfLG3gcqugiGRGpuqUDkIcf4PbQB4PxGKAIvVmTRY9uE5r34W24/p
kYOBoLfAm5UKZ/0kT8Zh0yV0YLYzXjdxojBqoZNIUXz01oZdQ4yzjhlZpjb8
cd28eS0G0EwR7SsM3rm81wd2ec7BTQRYEhoeARAA83O4nNHuyFx2C+mHvdgv
Qr4g/uYHog+vYYy0oQBFPGmuGwZ+y3ooPMSbcpcmurh+0aBnkZToimubm/Ip
CXcJ28o6RH2KIPX0X6Q2HsWNAM6BVBWCezajDRxcIjL2DQHSoot0jovHq7Jt
3VjxCfm/OJyLkPoi2NHg4PJ7Be5bPOX1qyj0k/caRFKQxzvCARe4zWn9Pe7Y
Yt+e1dMWzy4NDmz8BjKCkng4xM1Nc7/2/SYdbvngEWyhOWrLScttK5h85sx8
V2sWYxC7S5CPLRZRBteU+gMUmE2k6hDZIPWA/icLXwcFjtIArZWAjYix85EE
5d0U1Dkjr6SAt7FolPrVHFxe3jII50PhlE/3bWnQlQJL5ndJfOs9957Kvf0N
IqtzmDtzNTqrD1XWT6mrxssFcoxjgpBzsw3QXzGcm7C/Mbtzq63eRk4qt5iy
KeB/jZm/IhHMMyhJEIHK9kGu5GRji5Q/Ypql3qAjwAz49UzHvGuBnkAjbQLG
WTDzje/vxTQDaG43eEfyBg3qTE4vcMWZVJm1MMURkblZqFVoZUVBpdr4Pqfz
+vYTxPDZGCdRHs4qv07tu4kcGemyqyanoMmzjLYmWXedQmdUwT7UT7vrCeS2
A7HPJUPl7MUaBcI6UxU9Lo1Dz1skqOpclPG2D3YfCG4fhy3EEVmCsl7QIPxh
MqEAEQEAAcLBXwQYAQgAEwUCWBIaJAkQy2Xcle98YS0CGwwAADfpD/9c/5el
kFAZTTcc1zqqvVYsLEf6alq8Jc7umoD+fQKkvHnZPzPnInvb4dOcywfBTq75
qW6xzfhG/xOWFvoMNZEiVeR01sHzLDxyjwHtneEovw/L8W3375r3d/K7aMu3
E7ib/4eTNyts4A1VQfHah8+g6DkSCNzvPGjlWZE2SejMk2XDG+umlzGAWG+I
xlraf4o+5ayE+O36CEyodALf1zkmG0VWVqEaLByGiwhZMoSH57Dh5vwxPm6B
fDBhg5FSfrPkU6E/c0VEuAz8g3zzvLkrDIgDDcKO5S6l1IXrgWsosWj2bjFI
KgMWPWq834IRNe5kQMy+ZBRpxJG0X11b5yQJVSI0d0nuGwvppWVk8l4UkIHp
CNL2fSjHWI7BO7YdUilwa+9OeW7cMPyt78nFxrd4hARocOIY3OBCuBeiv9FX
7rpWtCphgmeRscBtGsOO8GGXhOW2TTpyusPsyT0KSfkCy3/GlMhAHf141xBZ
4Zg8M2upB1Zfwz3lvfnalAY+/xPW9XQEHr6rdZog7wNFlMx2rZz9Zoi7K3cY
cF3hDsi+AbT6NrJcWo6cgUz8EVkMYrEEUd+X4cqA9nCC2w8eMxo1cPghKHNT
oR9LijUkJBFZPFKRsbG2PDp3gcLw1QTNjTHDYFREbJKjfAmWbyyZqzAG067+
gb3Sv+T9pF74xfyyrw==
=yfgW
-----END PGP PUBLIC KEY BLOCK-----



Disclosures
Keeping Your Account Protected - November 2016.
A GitHub repository was public-viewable - March 2022.