Adafruit Industries Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

At Adafruit, we understand that security is essential in maintaining the trust you place in us to provide products and services to you. Although our team works vigilantly to help keep customer information secure, we recognize the important role that security researchers and our user community play in helping to keep our users secure. If you are a security researcher and have discovered a security vulnerability in our website or service, we ask for your help in disclosing it to us in a responsible manner.

If you discover a site vulnerability or are a customer who is concerned your account has been compromised, please notify us via [email protected]. We encourage you to encrypt sensitive information; please see below for our public PGP key. For verified vulnerabilities and bugs, we may offer certain rewards for your smarts and efforts at our discretion as a thank you (such as store credit and Adafruit gear!).

Testing Requirements:

When reaching out to us, please include:

A detailed summary of the issue, including a list of steps for how we can reproduce it.
Correct contact information, such as an email address, by which we can reach you in case we need more information.
Whether and how you would like us to identify you in our "Hall of Fame".
We believe in placing our users' interests first. We believe that responsible disclosure involves privately notifying us of any security vulnerabilities, and allowing us appropriate time to diligently address the vulnerabilities before making full disclosure to the public. For our part, while we are working on addressing the vulnerability, we will advise customers of potential risk if appropriate where it does not increase the overall risk to customers. We will do our best to notify you as soon as the vulnerability has been addressed and ask that you do not disclose it publicly or share it with others until then.

We appreciate these types of research activities, but will not tolerate any actions that put our users at risk:

Do not attempt to access, modify, destroy, or disclose our users' information.
Do not attempt to deface or degrade our services.
Do not violate applicable law.
The combined contributions of all security professionals in our community are essential to keeping us all secure.

Possible Awards:

Adafruit products and more.

Special Notes:

We encourage you to encrypt sensitive information you send to us as a part of your vulnerability disclosure. You can use our PGP key to send us sensitive information via [email protected]:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v1.5.2
Comment: https://www.mailvelope.com

xsFNBFgSGh4BEAC6kp+TCD0FzzhhPtsRdZ7cdfFKSYtvxWitNdn54+UhppUE
xqavNGaSuz5jbMqojz2INWL8m0I7H8kA8NHYq4nhTtqIOh0C//7u/mKDy88j
j2nDFvKoT9n01j3mfQzWUAfVaMJ1OdKh5+oupELw1zqxFGy1COKKmMAjmM9L
HmkL2Y6cXGqgLK8IbuoYZ87MUzAAI6jrASCn4llf1F+g/Qqoh3uqt0D7OCij
SbVksMo1roqo6qJlNq/q8gtp5cqYiYb56bpSwd7uQCwhEA3VuqpedkIvgEQk
E80VLBD+L9MuLQxzaU9MyNxWH+pr2rTmffcrKSf8S1cpXZsR4Gcom90riXK8
YYLIC5EtZV8aQNQ621WwifkRhsUuQL8VWEzGp4eccgQlmx/4HHyFCONwB3Fm
ewiTehKT+ZfEuFXGjKij4XUgoO28zlDVEtwr9b3xOg2jYlfE9KAnY29uqZx0
bDlgpysWgwdnjgFwHbdpp/0khDfxKtlpxoF6jTng6vLpRknmZW26FDYh45kK
9rwxlMDNuKzeNJI/jWotaKb1vFx1KtwvOlvZ93kPua9XkgvWvc1qfC4QI6V8
UzSpV6Mfzcjz8gh1UwCrXXqph2TOpMXPzElAJXAf44h1UgsJpbyOngl4xWb1
Xi+QMF1f5VTzmvvETmnBAiNncN6stv8lv7pogwARAQABzS5BZGFmcnVpdCBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBhZGFmcnVpdC5jb20+wsF1BBABCAAp
BQJYEhoiBgsJCAcDAgkQy2Xcle98YS0EFQgCCgMWAgECGQECGwMCHgEAAFJ+
EACw//CCx9juEt7kLY87RX7U1cqMmXdKFHBco4XumBHufjXKCHClX//enggj
bWiaN/YZozQkKZfkcAey0IY70166EAPUzcZwzqX4ZSI7F/Er0WHr07pLa1aF
QWslVL2e3CWfTM2k6PjgC8puvcooK2J/Y1cRn33w0NcDZJJQ9uk/npd0/xzD
AFWRU6kbPoGa1AJ7mGbKJbx0aYnShqiVSCDBYI0F/bHB0IoRJ8EEDbmqbVhQ
kaKjIKFaDLW16jyyQF32bMDaVywtw7ce9liS0bq98x/TnN9te1S5ZV4Y3x+i
xUQG15w66uhhjyfu6D6/n8MwLf23hIeqZd5e1pSynvAMoveZd73zuYNfozO6
U9Scq/azkbOVXTO69F1MUVY81KEa0E9VAgEBPPaEwdC5dOEpQQoBfiC3oWRr
rOmKvGdCE/MLsBvh39IbToeNSBAcPPJIg7HVGzkiv4FZyHWQnoLBYk+zvpM3
AV+yzxHicm/r+n1HoDVT4Gr64fuzEalgiCkfuBdTaA1Keu8uXrb8aps6MgLP
d+IBYWYSfLG3gcqugiGRGpuqUDkIcf4PbQB4PxGKAIvVmTRY9uE5r34W24/p
kYOBoLfAm5UKZ/0kT8Zh0yV0YLYzXjdxojBqoZNIUXz01oZdQ4yzjhlZpjb8
cd28eS0G0EwR7SsM3rm81wd2ec7BTQRYEhoeARAA83O4nNHuyFx2C+mHvdgv
Qr4g/uYHog+vYYy0oQBFPGmuGwZ+y3ooPMSbcpcmurh+0aBnkZToimubm/Ip
CXcJ28o6RH2KIPX0X6Q2HsWNAM6BVBWCezajDRxcIjL2DQHSoot0jovHq7Jt
3VjxCfm/OJyLkPoi2NHg4PJ7Be5bPOX1qyj0k/caRFKQxzvCARe4zWn9Pe7Y
Yt+e1dMWzy4NDmz8BjKCkng4xM1Nc7/2/SYdbvngEWyhOWrLScttK5h85sx8
V2sWYxC7S5CPLRZRBteU+gMUmE2k6hDZIPWA/icLXwcFjtIArZWAjYix85EE
5d0U1Dkjr6SAt7FolPrVHFxe3jII50PhlE/3bWnQlQJL5ndJfOs9957Kvf0N
IqtzmDtzNTqrD1XWT6mrxssFcoxjgpBzsw3QXzGcm7C/Mbtzq63eRk4qt5iy
KeB/jZm/IhHMMyhJEIHK9kGu5GRji5Q/Ypql3qAjwAz49UzHvGuBnkAjbQLG
WTDzje/vxTQDaG43eEfyBg3qTE4vcMWZVJm1MMURkblZqFVoZUVBpdr4Pqfz
+vYTxPDZGCdRHs4qv07tu4kcGemyqyanoMmzjLYmWXedQmdUwT7UT7vrCeS2
A7HPJUPl7MUaBcI6UxU9Lo1Dz1skqOpclPG2D3YfCG4fhy3EEVmCsl7QIPxh
MqEAEQEAAcLBXwQYAQgAEwUCWBIaJAkQy2Xcle98YS0CGwwAADfpD/9c/5el
kFAZTTcc1zqqvVYsLEf6alq8Jc7umoD+fQKkvHnZPzPnInvb4dOcywfBTq75
qW6xzfhG/xOWFvoMNZEiVeR01sHzLDxyjwHtneEovw/L8W3375r3d/K7aMu3
E7ib/4eTNyts4A1VQfHah8+g6DkSCNzvPGjlWZE2SejMk2XDG+umlzGAWG+I
xlraf4o+5ayE+O36CEyodALf1zkmG0VWVqEaLByGiwhZMoSH57Dh5vwxPm6B
fDBhg5FSfrPkU6E/c0VEuAz8g3zzvLkrDIgDDcKO5S6l1IXrgWsosWj2bjFI
KgMWPWq834IRNe5kQMy+ZBRpxJG0X11b5yQJVSI0d0nuGwvppWVk8l4UkIHp
CNL2fSjHWI7BO7YdUilwa+9OeW7cMPyt78nFxrd4hARocOIY3OBCuBeiv9FX
7rpWtCphgmeRscBtGsOO8GGXhOW2TTpyusPsyT0KSfkCy3/GlMhAHf141xBZ
4Zg8M2upB1Zfwz3lvfnalAY+/xPW9XQEHr6rdZog7wNFlMx2rZz9Zoi7K3cY
cF3hDsi+AbT6NrJcWo6cgUz8EVkMYrEEUd+X4cqA9nCC2w8eMxo1cPghKHNT
oR9LijUkJBFZPFKRsbG2PDp3gcLw1QTNjTHDYFREbJKjfAmWbyyZqzAG067+
gb3Sv+T9pF74xfyyrw==
=yfgW
-----END PGP PUBLIC KEY BLOCK-----

Other Submissions Handling