eero

#eero Program Policy

##Introduction The first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.

The eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.

eero Program Process

In order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.

To be considered for a reward, you must comply with all parts of this policy, including the following requirements:

• Adherence to our Responsible Research and Disclosure Policy and other legal obligations.
• Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.
• Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.
• Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.
• You must be available to provide additional information if needed by us to reproduce and investigate your report.

Please note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.

##Rules of Engagement (Behavior)

• Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.
• Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted
• Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers
• Do not compromise or test Amazon/eero accounts that are not your own
  • If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith
• Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks
• Do not perform any testing against assets that directly involve Amazon Employees in communication
  • This can include support chats, even ones appearing to be automated.
• Do not perform physical attacks again any Amazon/eero facility
• Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.

Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.

##Rules of Engagement (Testing)

• Make sure to use the User-Agent string eeroResearcher_yourh1username while testing
• Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.
• Please note, use of scanning tools without the User-agent string eeroResearcher_yourh1username may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.
• Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo. Our concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.
• Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact.
  • For example, https://domain.com/endpoint?cb=test , in this case cb is added as a cache buster to prevent any customer impact. **Not using a version hosted yourself, will result in complete forfeiture of any reward. **

Bypass Reports

If you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field Bypass Reference with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.

Creating Accounts for Vulnerability Research

Please create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using [email protected]

eero Program Scope

In Scope Devices This Bug Bounty program covers all eero-branded or manufactured devices sold by eero or an authorized retailer. The eero device must be running the latest available software and must be listed on the ‘eero security updates’ page listed below and not have a date in the past.

Software Update Reference

• https://support.eero.com/hc/en-us/articles/4401964665243-eero-Software-Security-Updates

In Scope Services & Apps: This program awards the vulnerabilities discovered on all eero backend services & apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).

In Scope Mobile Application Packages:

In Scope Application Domains

• This Bug Bounty program covers all eero domains owned by eero.

Vulnerability Severity Ratings

The severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.

The Severity mentions below are a guideline, and not definitive. There may be situations where compensating controls or complexity of a finding increases or decreases severity.

Severity Ratings for Devices

Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.

Critical
Critical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.

High
High severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.

Medium
Vulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.

Low
Low security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.

Service & Apps Vulnerability Severity Ratings

Use following table to determine the severity ratings for web and mobile app vulnerabilities.

Not In Scope Please do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.

Non-qualifying Vulnerabilities This program does not award low severity, purely theoretical and best-practice issues. Here are some examples:

• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Theoretical sub-domain takeovers with no supporting evidence
• HTTP 404 codes/pages or other HTTP non-200 codes/pages
• Information leakage, fingerprinting / banner disclosure on common/public services
• Disclosure of known public files or directories, (e.g. robots.txt)
• Clickjacking and issues only exploitable through clickjacking
• CSRF on forms that are available to anonymous users (e.g. the contact form)
• Logout Cross-Site Request Forgery (logout CSRF)
• Presence of application or web browser 'autocomplete' or 'save password' functionality
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies
• Weak Captcha / Captcha Bypass
• Forgot Password page brute force and account lockout not enforced
• OPTIONS HTTP method enabled
• Reflected file downloads
• Missing Cache control
• Host Header Attack
• Directory Listing
• Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
• SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)
• Not performing rate limiting on endpoints
• Content spoofing
• PKP / HSTS preloading
• Generic examples of Host header attacks without evidence of the ability to target a remote victim
• Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
• SPF, DKIM, or DMARC settings & Email Spoofing
• Mixed Content Scripting & Self XSS

Non-qualifying Vulnerabilities for Mobile Apps (Android & iOS) -

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• The absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation is out of scope
• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
• Any kind of sensitive data stored in app private directory
• Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries
• Path disclosure in the binary
• User data stored unencrypted on the file system
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs
• Apps allowing data backups

Operational Security Issues

The goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.

Responsible Research and Disclosure Policy

We require that you -

• Do not access or collect any customer data.
• Do not exploit the security vulnerability for any other purposes than for testing.
• Must not publicly disclose any information regarding the reported issue.
• In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted.

While it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.

Safe Harbor

Amazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.

As long as you comply with this policy:

• We consider your security research to be "authorized" under the Computer Fraud and Abuse Act.
• We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.

Amazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.

Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc. To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:

• Share your PII with third parties.
• Share your HackerOne points, or participation without your permission.