Dyson
Bounty Range
$2,000 - $10,000
external program
Dyson
Program guidelines
6 hours Average time to first response
3 days, 6 hours Average time to triage
1 week, 12 hours Average time to bounty
1 week, 3 days Average time from submission to bounty
6 months, 2 days Average time to resolution
Last updated on February 4, 2025. [/dyson/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
LowAvg. bounty $10047.16% submissions
MediumAvg. bounty $40028.57% submissions
HighAvg. bounty $80019.34% submissions
CriticalAvg. bounty n/a4.93% submissions
LowAvg. bounty $10047.16% submissions
MediumAvg. bounty $40028.57% submissions
HighAvg. bounty $80019.34% submissions
CriticalAvg. bounty n/a4.93% submissions
Dyson Connected Products (IoT Hardware)
$2,000
$4,000
$6,000
$10,000
Alternate Assets
$100
$400
$800
—
Secondary Assets
$100
$400
$1,000
$2,000
Core Assets
$200
$500
$2,000
$3,000
For vulnerabilities eligible for a reward, the bounty will be rewarded upon triage and validation by the Dyson security team. We will keep you informed on the progress to resolve your report.
http://www.dyson.at, api.dyson.at, http://www.dyson.be, api.dyson.be, http://www.dysoncanada.ca, api.dysoncanada.ca, http://www.dyson.dk, api.dyson.dk, http://www.fi.dyson.com, api.fi.dyson.com, api.dyson.fr, http://www.dyson.fr, http://www.dyson.de, api.dyson.de, http://www.dyson.ie, api.dyson.ie, http://www.dyson.it, api.dyson.it, http://www.dyson.nl, api.dyson.nl, http://www.dyson.no, api.dyson.no, http://www.dyson.pt, api.dyson.pt, http://www.dyson.es, api.dyson.es, http://www.dyson.se, api.dyson.se, shop.dyson.ch, http://www.dyson.ch, api.dyson.ch, http://www.dyson.co.uk, api.dyson.co.uk, http://www.dyson.com, api.dyson.com
*.cp.dyson.com
Dyson Link App
Other Dyson Assets
GitHub Findings
Dyson. Cloud
Subdomains of the root domains
*.dyson.com
Please check the scope here for more details - https://hackerone.com/dyson/policy_scopes
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
This program has not committed to the following Platform Standards. As such the report severity or outcome may differ.
Severity rating for insecure direct object references (IDORs) with unpredictable IDs
Multiple reports on systemic vulnerabilities
Severity rating for vulnerable network connection in client applications
Severity rating for leakage of sensitive personally identifiable information
Third-party components: for programs consuming the component Check https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8 for the full Platform Standards page list.
Last updated on March 3, 2026. [/dyson/policy_versions](View changes
)
Dyson takes the security of its customers, employees, and technology very seriously. Whilst we build our systems to be as robust as possible, we greatly value the support of security experts around the world in helping us identify and eliminate any weaknesses. To recognize these efforts and the key role security researchers play in keeping Dyson secure we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review and understand the program policy before submitting a report.
If you think you have found a security flaw, we welcome the chance to work with you – and reward you – to resolve the issue.
To show our appreciation for taking the time to help keep us secure, Dyson may provide cash rewards for qualifying vulnerabilities. We will work with you to determine the impact on our company, so submissions with detailed explanations and screenshots alongside the impact you believe it faces on Dyson will go a long way to ensure that we both agree what the impact is. As a large company with many moving parts, it can take time for us to remediate vulnerabilities, especially when they involve many components or 3rd parties.
The scope for Dyson’s Bug Bounty program includes most of our assets and products. If it is not out of scope, and it is impactful to us or our customers, we want to hear about it. Please note that issues without security impact submitted to our program will be closed out - please review our out-of-scope section before submitting. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have read and agreed to follow the rules outlined in this policy. To ensure Dyson maintains its high level of reputation, and to keep ourselves and our customers safe, we ask you to adhere to the below rules when testing:
• Social engineering techniques (e.g. phishing, vishing, smishing) of Dyson employees or users are strictly prohibited. • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. • Be respectful when interacting with our team, our team will do the same. • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks. • Performing tests against accounts belonging to Dyson employees or customers is prohibited. Only interact with accounts you have created or with explicit permission of the account holder. • Any physical attacks against Dyson property or data centers are not permitted. • Include a custom HTTP header in all your traffic of the format X-Hackerone:
We appreciate every researcher who submits valid issues to us as it allows us to improve the security of our company and our products. To qualify for a reward, and to ensure that we can continue to have a working relationship you must: • Be the first reporter of the vulnerability. • Submit a vulnerability within our Scope. • Demonstrate a security impact to an asset or application in scope. • Follow Hacker One’s disclosure guidelines. • Have a working POC outlining the security implications for your report. • Not have publicly disclosed the vulnerability without our consent. • Not be employed by Dyson or any of its affiliates or an immediate family member of a person employed by Dyson or any of its affiliates. • Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. • Not be using duplicate Hacker One accounts. • Subdomain takeover vulnerabilities will be triaged as low severity across all asset categories. If the researcher is unable to demonstrate an actual takeover, the bounty awarded will be reduced by 50%. Furthermore, rewards for subdomain takeover findings will only be issued in cases where a practical takeover is demonstrably achievable within the given scenario. • All the reports related to "Promo-Code /Coupon Code / Free Shipping " vulnerabilities will be considered as Informative or N/A across all asset categories. These issues are not eligible for bounty or further triage. • Open redirects will be considered as Informative across all asset categories.
Please note that multiple vulnerabilities caused by one underlying issue will be awarded one bounty. In the event of duplicates, we only award the first report that was received (provided that it can be fully reproduced). Before submitting an issue on an asset, make sure it is not listed in the out-of-scope section. Vulnerabilities reported on out-of-scope assets will be closed as N/A.
Please submit reports in plaintext, not via an attached file like DOC or PDF.
Please only submit one issue per report – this ensures you will receive credit for each issue and avoids delays in processing your report.
Quality matters – please make it clear what you are reporting and what the impact is. Higher quality reports help us quickly understand the issue, reduce the need for back-and-forth, and can therefore result in higher pay-outs.
Provide detailed written steps on how to reproduce your issue.
Before assigning a severity, please consider exactly how it impacts the security or privacy of Dyson users or systems, how an attacker could exploit, and how it could be fixed.
Please fill out every section and questions on the report as this will facilitate the triage process, thus avoiding delays.
For reports on assets that fall within the other assets category, please provide additional information and indicators suggesting why the asset belongs to Dyson.
If the vulnerability is particularly complex, including a video may be helpful – but please do not submit a report that is only a video. General software bugs that do not represent any security risk or are excluded from our program can be reported via email to mailto:[email protected]. Additionally, if unsure whether a domain belongs to Dyson please contact the aforementioned email address for clarification.
At this time Dyson is not permitting public disclosure of submitted reports.
We’ve noticed a rise in reports created entirely by AI that lack practical value. While AI can help improve clarity and organization, reports must include your own analysis, testing, or insights to meet our standards. Submissions that appear fully automated and lack genuine human contribution will be rejected. We expect thoughtful research, solid evidence, and analytical thinking—AI should assist, not replace, your work.
If you discover a potential security problem in our products, applications or websites. Please let us know as soon as possible.
Dyson will make a best effort to meet the following SLAs for hackers participating in our program:
Time to first response (from report submit) - 5 business days.
Time to triage (from report submit) - 10 business days.
Time to bounty (from triage) - 30 business days
Time to resolution (from triage) - 30 business days (Low and Medium issues may require more time)
Any design or implementation issue that is reproducible and substantially affects the security of Dyson is likely to qualify.
When in doubt whether we would consider a vulnerability for a reward, map out the impact the vulnerability would have to Dyson or Dyson’s customers.
We encourage you to increase the severity of your reflected cross-site scripting/open redirect findings by going beyond the traditional alert (1) pop-up or a redirection to google.com.
Please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Reports generated using automated scanning tools
Newly disclosed "0-day" or "zero-day" vulnerabilities, publicised less than a month prior
Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Issues related to software or protocols not under Dyson control
Clickjacking or lack of X-Frame-Options on pages without an authenticated, state-changing action
CSRF on non-sensitive actions, such as login, logout, adding items to a shopping cart etc.…
Username/Email Enumeration
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS). All reports related to "Lack of rate-limiting" or "Rate Limiting" related vulnerabilities will be considered as Out Of Scope.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Brute-forcing coupon codes.
Lack of secure/HTTP Only flags for non-sensitive data.
Banner grabbing issues.
Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)
Social Media account takeovers
We are aware the S3 software update repository (software.dyson.com) can be enumerated, but the binary images within should be encrypted. We would love to hear if they aren’t, or they can be unencrypted!
We know of the SPF issues; there is an ongoing project to rectify this, so do not submit email spoofing reports.
Credentials submitted from the sources of Dark Web.
Rate Limiting Bugs on Password Reset Endpoints.
Reports related to Outdated/Old links will not be eligible for a reward and will be considered as N/A.
Reports of cache poisoning vulnerabilities that rely on the use of "cachebusters"—such as unique or random query parameters appended to resource URLs in order to trigger the cache poisoning—are not eligible for bounty consideration. Only reports demonstrating a cache poisoning impact against default or standard asset URLs, without the need to manipulate the URL with arbitrary or non-standard parameters, will be considered within scope.
The following bugs relating to IoT Hardware are unlikely to be eligible for a bounty:
We are aware that Bluetooth on the device is constantly on, this was a design decision.
We are aware of the availability of some debug/serial interfaces on certain components within the product. Whilst the discovery of these interfaces will not be eligible for bounty payments, any sensitive data yielded or manipulations you can perform over said interfaces will be.
Local network flooding that causes devices to stop responding for a brief period of time.
We are aware that in some Dyson products, direct communication traffic (MQTT) between a mobile device and the product which is routed over a secured Wi-Fi network is not encrypted.
The information on this page is intended only for security researchers. If you’d like to know more about our security and data privacy, please see our [http://privacy.dyson.com/en/homepage.aspx](Privacy website)
Dyson takes the security of its customers, employees and technology very seriously. Whilst we build our systems to be as robust as possible, we greatly value the support of security experts around the world in helping us identify and eliminate any weaknesses.
If you think you've found a security flaw, we welcome the chance to work with you to resolve the issue.
The information on this page is intended only for security researchers. If you’d like to know more about our security and data privacy, please see our [http://privacy.dyson.com/en/homepage.aspx](Privacy website).
If you discover a potential security problem in our products, applications or websites, please let us know as soon as possible. We will endeavor to acknowledge your correspondence within 72 hours and provide regular updates to you about progress.
Finally, please make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Dyson currently runs a Bug Bounty program on Hacker One, if you wish to submit a new report via the program, do so here:
https://hackerone.com/dyson?type=team
Dyson currently run a Vulnerability Disclosure Program, if you wish to submit a new report via the program, please email mailto:[email protected]. Please note: we do not pay bounties for issues reported to us outside of our Bug Bounty program. #The Dyson Responsible Disclosure Program Dyson takes the security of its customers, employees and technology very seriously. Whilst we build our systems to be as robust as possible, we greatly value the support of security experts around the world in helping us identify and eliminate any weaknesses.
If you think you've found a security flaw, we welcome the chance to work with you to resolve the issue.
The information on this page is intended only for security researchers. If you’d like to know more about our security and data privacy, please see our [http://privacy.dyson.com/en/homepage.aspx](Privacy website).
If you discover a potential security problem in our products, applications or websites, please let us know as soon as possible. We will endeavor to acknowledge your correspondence within 72 hours and provide regular updates to you about progress.
Finally, please make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Dyson currently runs a Bug Bounty program on Hacker One, if you wish to submit a new report via the program, do so here:
https://hackerone.com/dyson?type=team
Dyson currently run a Vulnerability Disclosure Program, if you wish to submit a new report via the program, please email mailto:[email protected]. Please note: we do not pay bounties for issues reported to us outside of our Bug Bounty program.
[/dyson/thanks](See all hackers
)
1
/shubs?type=userReputation: 1k
2
/mikee?type=userReputation: 1k
3
/saltedfish?type=userReputation: 1k
4
/d0xing?type=userReputation: 798
5
/fqdn?type=userReputation: 689
6
/malcolmx?type=userReputation: 651
7
/todayisnew?type=userReputation: 507
8
/hackbox-ai?type=userReputation: 501
9
/fixit?type=userReputation: 473
10
/dittyroma?type=userReputation: 464
11
/jacksparrow9999?type=userReputation: 446
12
/sergeym?type=userReputation: 433
Dyson
http://dyson.comhttps://x.com/Dyson Dyson Ltd is a British technology company that designs and manufactures vacuum cleaners, hand dryers, bladeless fans, heaters and hair dryers.Bug Bounty Program launched in Jul 2025
[/dyson/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty $10047.16% submissions
$100–$2,000
MediumAvg. bounty $40028.57% submissions
$400–$4,000
HighAvg. bounty $80019.34% submissions
$800–$6,000
CriticalAvg. bounty n/a4.93% submissions
$2,000–$10,000
Total bounties paid | $420,410 | Average bounty range | $200 - $400 | Top bounty range | $800 - $10,000 | Bounties paid | 90 days | $8,550 | Reports received | 90 days | 200 | Last report resolved | 20 hours ago | Reports resolved | 822 | Hackers thanked | 400 | Assets In Scope | 66 |
© HackerOne