Nest

If you’re a security researcher and think you’ve found a security vulnerability, we want to hear about it right away. We ask that you give us a reasonable amount of time to respond to your report before making any information public. Please don’t access or modify user data without permission of the account owner and act in good faith not to degrade the performance of our services (including denial of service). If you comply with these requests, we won’t take legal action against you.

We’re interested in the following areas:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF/XSRF)
• SQL injection (SQLi)
• Authentication/authorization for devices or clients
• Sharing/public model
• Remote code execution
• Data exposure
• Alert/notification spoofing
• Nest Thermostat, Nest Protect, or Dropcam local Denial of Service (DoS)
• Nest Thermostat, Nest Protect, or Dropcam resets and lockups
• Wireless vulnerabilities (but not including wireless Denial of Service (DoS))

Out of scope areas:

• Website or API Denial of Service (DoS)
• Wireless Denial of Service (DoS)
• Issues only present in old/end-of-life browsers and old plugins