[{"id":3766578,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n**In Scope Devices**\nThis Bug Bounty program covers all eero-branded or manufactured devices sold by eero or an authorized retailer. The eero device must be running the latest available software and must be listed on the ‘eero security updates’ page listed below and not have a date in the past.\n\n**Software Update Reference**\n\n- https://support.eero.com/hc/en-us/articles/4401964665243-eero-Software-Security-Updates\n\n**In Scope Services \u0026 Apps:**\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n**In Scope Mobile Application Packages:**\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n- This Bug Bounty program covers all eero domains owned by eero. \n\n\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**The Severity mentions below are a guideline, and not definitive. There may be situations where compensating controls or complexity of a finding increases or decreases severity.**\n\n**Severity Ratings for Devices**\n\n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n### Service \u0026 Apps Vulnerability Severity Ratings\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability    |Severity Range    |\n|---    |---    |\n|Remote Code Execution    |Critical    |\n|SQL Injection    |High - Critical    |\n|XXE    |High - Critical    |\n|XSS    |Medium - Critical    |\n|Server-Side Request Forgery    |Low - Critical    |\n|Directory Traversal - Local File Inclusion    |Medium - High    |\n|Authentication/Authorization Bypass (Broken Access Control)    |Medium - High    |\n|Privilege Escalation    |Medium - High    |\n|Insecure Direct Object Reference    |Medium - Critical    |\n|Misconfiguration    |Low - High    |\n|Web Cache Deception    |Low - Medium    |\n|CORS Misconfiguration    |Low - Medium    |\n|CRLF Injection    |Low - Medium    |\n|Cross Site Request Forgery    |Low - Medium    |\n|Open Redirect    |Low - Medium    |\n|Information Disclosure    |Low - Medium    |\n|Request smuggling    |Low – Medium    |\n|Mixed Content    |Low    |\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n### Operational Security Issues \nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-25T23:34:32.503Z"},{"id":3766574,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n**In Scope Devices**\nThis Bug Bounty program covers all eero-branded or manufactured devices sold by eero or an authorized retailer. The eero device must be running the latest available software and must be listed on the ‘eero security updates’ page listed below and not have a date in the past.\n\n**Software Update Reference**\n\n- https://support.eero.com/hc/en-us/articles/4401964665243-eero-Software-Security-Updates\n\n**In Scope Services \u0026 Apps:**\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n**In Scope Mobile Application Packages:**\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n- This Bug Bounty program covers all eero domains owned by eero. \n\n\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**The Severity mentions below are a guideline, and not definitive. There may be situations where compensating controls or complexity of exploit decrease or increase severity.**\n\n**Severity Ratings for Devices**\n\n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n### Service \u0026 Apps Vulnerability Severity Ratings\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability    |Severity Range    |\n|---    |---    |\n|Remote Code Execution    |Critical    |\n|SQL Injection    |High - Critical    |\n|XXE    |High - Critical    |\n|XSS    |Medium - Critical    |\n|Server-Side Request Forgery    |Low - Critical    |\n|Directory Traversal - Local File Inclusion    |Medium - High    |\n|Authentication/Authorization Bypass (Broken Access Control)    |Medium - High    |\n|Privilege Escalation    |Medium - High    |\n|Insecure Direct Object Reference    |Medium - Critical    |\n|Misconfiguration    |Low - High    |\n|Web Cache Deception    |Low - Medium    |\n|CORS Misconfiguration    |Low - Medium    |\n|CRLF Injection    |Low - Medium    |\n|Cross Site Request Forgery    |Low - Medium    |\n|Open Redirect    |Low - Medium    |\n|Information Disclosure    |Low - Medium    |\n|Request smuggling    |Low – Medium    |\n|Mixed Content    |Low    |\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n### Operational Security Issues \nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-25T23:30:18.760Z"},{"id":3764239,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n**In Scope Devices**\nThis Bug Bounty program covers all eero-branded or manufactured devices sold by eero or an authorized retailer. The eero device must be running the latest available software and must be listed on the ‘eero security updates’ page listed below and not have a date in the past.\n\n**Software Update Reference**\n\n- https://support.eero.com/hc/en-us/articles/4401964665243-eero-Software-Security-Updates\n\n**In Scope Services \u0026 Apps:**\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n**In Scope Mobile Application Packages:**\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n- This Bug Bounty program covers all eero domains owned by eero. \n\n\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Ratings for Devices**\n\n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n### Service \u0026 Apps Vulnerability Severity Ratings\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability    |Severity Range    |\n|---    |---    |\n|Remote Code Execution    |Critical    |\n|SQL Injection    |High - Critical    |\n|XXE    |High - Critical    |\n|XSS    |Medium - Critical    |\n|Server-Side Request Forgery    |Low - Critical    |\n|Directory Traversal - Local File Inclusion    |Medium - High    |\n|Authentication/Authorization Bypass (Broken Access Control)    |Medium - High    |\n|Privilege Escalation    |Medium - High    |\n|Insecure Direct Object Reference    |Medium - Critical    |\n|Misconfiguration    |Low - High    |\n|Web Cache Deception    |Low - Medium    |\n|CORS Misconfiguration    |Low - Medium    |\n|CRLF Injection    |Low - Medium    |\n|Cross Site Request Forgery    |Low - Medium    |\n|Open Redirect    |Low - Medium    |\n|Information Disclosure    |Low - Medium    |\n|Request smuggling    |Low – Medium    |\n|Mixed Content    |Low    |\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n### Operational Security Issues \nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-06T23:41:06.724Z"},{"id":3761243,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Ratings for Devices**\n\n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n### Service \u0026 Apps Vulnerability Severity Ratings\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\n|Vulnerability    |Severity Range    |\n|---    |---    |\n|Remote Code Execution    |Critical    |\n|SQL Injection    |High - Critical    |\n|XXE    |High - Critical    |\n|XSS    |Medium - Critical    |\n|Server-Side Request Forgery    |Low - Critical    |\n|Directory Traversal - Local File Inclusion    |Medium - High    |\n|Authentication/Authorization Bypass (Broken Access Control)    |Medium - High    |\n|Privilege Escalation    |Medium - High    |\n|Insecure Direct Object Reference    |Medium - Critical    |\n|Misconfiguration    |Low - High    |\n|Web Cache Deception    |Low - Medium    |\n|CORS Misconfiguration    |Low - Medium    |\n|CRLF Injection    |Low - Medium    |\n|Cross Site Request Forgery    |Low - Medium    |\n|Open Redirect    |Low - Medium    |\n|Information Disclosure    |Low - Medium    |\n|Request smuggling    |Low – Medium    |\n|Mixed Content    |Low    |\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n### Operational Security Issues \nThe goal of this program is to improve the security of our services for Customers. We do not reward, but will accept “Operational Security” (OpSec) submissions. OpSec issues include leaked employee passwords, leaked business documents, etc. These submissions will only receive reputation points.\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-15T23:17:07.139Z"},{"id":3756212,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Bypass Reports  \nIf you find a bypass of a previous report you’ve created, or we ask that you create a new report due to the content being different enough, please fill out the Custom Field `Bypass Reference` with the original ID of the finding. This has no bearing on reward, it just helps Amazon with secondary data tracking.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Ratings for Devices**\n\n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-23T22:02:35.519Z"},{"id":3755123,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Ratings for Devices**\n\n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to cause temporary device failure requiring a factory reset with local access vector would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.\n  \n**Low**  \nLow security vulnerabilities that may not pose a direct security impact to customer or the device such as parental control bypasses.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-08T17:39:33.872Z"},{"id":3754344,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n**Severity Ratings for Devices**\n\n*Note, issues that are demonstrated with ADB are generally accepted only if ADB is used to demonstrate a behavior that is possible to implement in an app.*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause a permanent, unrecoverable device failure even after factory reset. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, are also classified as critical vulnerabilities.\n  \n**High**  \nHigh severity vulnerabilities may allow temporary bypass of critical security controls through local access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, or installing apps. Additionally, these vulnerabilities may include device bricking scenarios such as vulnerabilities that cause permanent, unrecoverable device failure even after factory reset with local access vector, and vulnerabilities that cause temporary device failure requiring a factory reset with remote access vector.\n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-24T19:14:11.544Z"},{"id":3743241,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n* Any application level DoS testing should be done by adding cache buster parameters to avoid any direct customer impact. \n   * For example, https://domain.com/endpoint?cb=test , in this case `cb` is added as a cache buster to prevent any customer impact.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s eero account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s eero account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":null}","{\"platform_standard\":\"CHAINED_VULNERABILITIES\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-29T22:57:13.391Z"},{"id":3736183,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s eero account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s eero account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES","CHAINED_VULNERABILITIES"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-14T21:21:22.261Z"},{"id":3732770,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s eero account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s eero account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-17T20:46:15.874Z"},{"id":3731886,"new_policy":"==**At 10:00 UTC July 10th, HackerOne is updating to a new policy format that will provide better clarity and structure. This functionality makes it clear how Amazon's program behaves. Note that when this functionality goes live, the settings will not immediately reflect the true status of things. Until UTC 00:00 July 13th, please follow the policy as it's written and not the newly created modals. Thank you.**==\n\n#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s eero account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s eero account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-10T00:36:56.700Z"},{"id":3687620,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `eeroResearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s eero account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s eero account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-12T22:18:45.856Z"},{"id":3686473,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n##Rules of Engagement (Behavior)\n\n* Amazon/eero employees and contractors, as well as their immediate family members are strictly prohibited from participating in this program.\n* Do not attempt to conduct post-exploitation: modification or destruction of data, interruption or degradation of Amazon/eero services, and pivoting with access not normally granted\n* Do not attempt to perform brute-force attacks, denial-of-service attacks that hinder Amazon/eero in serving Customers\n* Do not compromise or test Amazon/eero accounts that are not your own\n    * If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith\n* Do not attempt to target Amazon/eero employees or its customers, including social engineering attacks, phishing attacks or physical attacks\n* Do not perform any testing against assets that directly involve Amazon Employees in communication\n    * This can include support chats, even ones appearing to be automated.\n* Do not perform physical attacks again any Amazon/eero facility\n* Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\n\n**Violation of the above rules may result in forfeit of bounty eligibility, or further, disqualification from bounty program participation at Amazon/eero's discretion.**\n\n##Rules of Engagement (Testing) \n\n* Make sure to use the User-Agent string `eeroResearcher_yourh1username` while testing \n* Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than **5** requests per second to any particular service. \n* Please note, use of scanning tools without the User-agent string `amazonkitresearcher_yourh1username` may result in your account/IP getting blocked by automated protections. It can take time to reinstate these so please make sure to include it.\n* Do not use 3rd party sites when testing (for instance, XSS Hunter variants). When doing blind XSS or any testing, only utilize assets that you expressly own and control yourself. This can be done using a home-forked version of the xsshunter-express repo.\nOur concern in using 3rd party infrastructure, exposure of vulnerability and sensitive data to said 3rd parties. Make sure that all traffic goes through domains only you have control over.\n**Not using a version hosted yourself, will result in complete forfeiture of any reward. **\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s eero account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s eero account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-21T19:40:24.816Z"},{"id":3685483,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\nAlso, while testing please forward the string `eeroResearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\nType: Request header\nMatch: ^User-Agent.*$\nReplace: User-Agent: `eeroResearcher_yourh1username`\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s eero account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s eero account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-28T19:33:53.979Z"},{"id":3685482,"new_policy":"#eero Program Policy\n\n##Introduction\nThe first mesh home wifi system, eero blankets any home in reliable and secure wifi. eero offers advanced online security tools, eero Secure and eero Secure+, to help protect personal data, devices, and networks from online threats. Founded in 2014 by Amos Schallich, Nate Hardison, and Nick Weaver, eero is an Amazon company.\n\nThe eero Bug Bounty Program is designed to recognize security research on our consumer electronics, and associated Devices and Services cloud services and web/mobile applications through bounty rewards. If you believe you have discovered a vulnerability impacting our devices and services, we encourage you to report it to us through this portal. Please review this page for our process, responsible research and disclosure policy, reward guidelines, and detailed scope of the eero Bounty Program. We are committed to being responsive and keep you informed of our progress on the investigation.\n\n## eero Program Process\nIn order to be eligible for a bounty reward, you must be the first to report an issue to us for assets outlined in scope. To ensure appropriate reward allocations, please provide a detailed report including - software version of device/application research was performed on, device model (if applicable), clear description of the issue, proof of concept (wherever applicable), along with detailed steps to reproduce the issue; you can optionally also provide patch/mitigation suggestions. We will acknowledge the receipt of the report, and in case of any additional questions, we will communicate and work with you through the HackerOne portal.\n\nTo be considered for a reward, you must comply with all parts of this policy, including the following requirements:\n\n* Adherence to our Responsible Research and Disclosure Policy and other legal obligations.\n* Report a vulnerability only for the products or services that are listed within the scope of the program and is not a duplicate submission of a previously known vulnerability.\n* Vulnerabilities cannot be disclosed to a third party without our consent and must be submitted first to us through HackerOne.\n* Vulnerabilities found in SoC vendor’s specific code may not qualify for rewards unless there is a demonstrated impact on eero products.\n* You must be available to provide additional information if needed by us to reproduce and investigate your report.\n\nPlease note that we will prioritize the remediation of the submissions based on the risk, customer impact, severity of the issue reported.\n\n## Creating Accounts for Vulnerability Research\n\nPlease create accounts using a HackerOne email to help us track security research activity. You can create accounts on eero by using \u003cyourh1username@wearehackerone.com\u003e\nAlso, while testing please forward the string `eeroResearcher_yourh1username` in your User-Agent header. You can create match and replace proxy rule in Burp by going to Proxy \u003e\u003e Options \u003e\u003e Match and Replace with the following options:\nType: Request header\nMatch: ^User-Agent.*$\nReplace: User-Agent: `eeroResearcher_yourh1username`\n \n## eero Program Scope\n\n*In Scope Devices*\nThis program sponsors the vulnerabilities discovered on devices (listed below) that is running latest available software. \n\n* eero Pro (2nd Generation)\n* eero Beacon (2nd Generation)\n* eero (2nd Generation)\n* eero 6 (3rd Generation)\n* eero 6 Extender (3rd Generation)\n* eero 6 Pro\n* eero 6+ (4th Gen)\n* eero 6E Pro (4th Gen)\n\n*In Scope Services \u0026 Apps:*\nThis program awards the vulnerabilities discovered on all eero backend services \u0026 apps available to customers and the supporting systems for delivery of those services (customer support, ordering, etc.). The Secondary focus of this program is on sites and services used for marketing or brand presence (i.e. main web site).\n\n*In Scope Mobile Application Packages:*\n\n| Name | Android Package Name | Apple IOS App ID |\n|---|---|---|\n| eero home wifi system | com.eero.android | 1023499075 |\n\n*In Scope Application Domains*\n\n* node.e2ro.com/\\* \n* api-user.e2ro.com/\\*\n\n*Not In Scope*\nPlease do check whois record before you submit any issues on domains found from Subdomain Scanners. eero uses a number of third-party providers and services. Our bug bounty program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed case-by-case, and most likely will not be eligible for a reward. Direct attacks against any part of AWS infrastructure are explicitly out of scope.\n\n*Non-qualifying Vulnerabilities*\nThis program does not award low severity, purely theoretical and best-practice issues.  Here are some examples:\n\n* Descriptive error messages (e.g. Stack Traces, application or server errors)\n* Theoretical sub-domain takeovers with no supporting evidence\n* HTTP 404 codes/pages or other HTTP non-200 codes/pages\n* Information leakage, fingerprinting / banner disclosure on common/public services\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Clickjacking and issues only exploitable through clickjacking\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Logout Cross-Site Request Forgery (logout CSRF)\n* Presence of application or web browser 'autocomplete' or 'save password' functionality\n* Lack of Secure/HTTPOnly flags on non-sensitive Cookies\n* Weak Captcha / Captcha Bypass\n* Forgot Password page brute force and account lockout not enforced\n* OPTIONS HTTP method enabled\n* Reflected file downloads\n* Missing Cache control\n* Host Header Attack\n* Directory Listing \n* Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)\n* SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)\n* Not performing rate limiting on endpoints\n* Content spoofing\n* PKP / HSTS preloading\n* Generic examples of Host header attacks without evidence of the ability to target a remote victim\n* Reports exploiting the behavior of, or vulnerabilities in, outdated browsers\n* SPF, DKIM, or DMARC settings \u0026 Email Spoofing\n* Mixed Content Scripting \u0026 Self XSS\n\nNon-qualifying Vulnerabilities for Mobile Apps (Android \u0026 iOS) - \n\n* Shared links leaked through the system clipboard\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* The absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* Lack of obfuscation is out of scope\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)\n* Any kind of sensitive data stored in app private directory\n* Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* User data stored unencrypted on the file system\n* Lack of jailbreak \u0026 root detection\n* Crashes due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls, mobile SSL pinning\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken environment)\n* App logging (logcat, console logs) sensitive information unless you can provide a proof with a malicious app stealing the data from logs\n* Apps allowing data backups\n\n\n\n## Vulnerability Severity Ratings\n\nThe severity of a vulnerability generally reflects the security impact of the issue on the product. Please use the following description to determine the severity of reported issues. Please note there maybe additional vulnerabilities that are not explicitly called out in the below description, in such cases, eero reserves the sole discretion to determine the severity of the vulnerability based on security impact.\n\n*Severity Rating for Devices*\n\n**Critical**  \nCritical vulnerabilities may allow a remote attacker to gain control of the device or cause permanent denial of service. Vulnerabilities that allow an attacker to perform remote or local bypass of critical security controls for example secure boot bypass fall into this category. Vulnerabilities that allow an attacker to perform arbitrary code execution, or remote access to sensitive assets on the device for example a device owner’s Amazon account credentials or authentication tokens, or can remotely render a device permanently inoperable are also classified as critical vulnerabilities.  \n  \n**High**  \nHigh severity vulnerabilities could allow temporary bypass of critical security controls through local access or cause temporary denial of service causing a device to crash or reboot through remote access. This category includes vulnerabilities that could allow arbitrary code execution in an unprivileged process or local code execution in a privileged process with user interaction. Vulnerabilities that could allow local access to owner’s Amazon account or other sensitive data protected by device kernel or a privileged process fall into this category. Vulnerabilities that allow bypass of core security features such as mandatory access controls, sandboxing mechanisms or bypass user interaction requirements for device operations example, modifying privacy settings, installing apps, or parental control bypasses are also included.   \n  \n**Medium**  \nVulnerabilities that could allow a local attacker to temporarily hang or reboot the device would be categorized as Medium severity. Protocol security weaknesses that allow observing of sensitive information through physical access are included in this category. Vulnerabilities that allow bypassing of exploit mitigations would also fall into this category. These vulnerabilities could have similar impact to High vulnerabilities but may require other vulnerabilities or user interaction.  \n  \n**Low**  \nLow security vulnerabilities that may not pose a direct impact to customer or the device. These vulnerabilities may introduce user friction or can cause inconvenience to user such as device crash or reboot by a local 3P app.\n\n*Service \u0026 Apps Vulnerability Severity Ratings*\n\nUse following table to determine the severity ratings for web and mobile app vulnerabilities.\n\nVulnerability\tSeverity Range\nRemote Code Execution\tCritical\nSQL Injection\tHigh - Critical\nXXE\tHigh - Critical\nXSS\tMedium - High\nServer-Side Request Forgery\tLow - Critical\nDirectory Traversal - Local File Inclusion\tMedium - High\nAuthentication/Authorization Bypass (Broken Access Control)\tMedium - High\nPrivilege Escalation\tMedium - High\nInsecure Direct Object Reference\tMedium - Critical\nMisconfiguration\tLow - High\nWeb Cache Deception\tLow - Medium\nCORS Misconfiguration\tLow - Medium\nCRLF Injection\tLow - Medium\nCross Site Request Forgery\tLow - Medium\nOpen Redirect\tLow - Medium\nInformation Disclosure\tLow - Medium\nRequest smuggling\tLow – Medium\nMixed Content\tLow\n\n## Responsible Research and Disclosure Policy\n\nWe require that you -\n\n* Do not access or collect any customer data. \n* Do not exploit the security vulnerability for any other purposes than for testing.\n* Must not publicly disclose any information regarding the reported issue.\n* In case of accidental exposure to or collection of customer data, you must notify us what information was accessed and provide written confirmation that the data has been securely deleted. \n\nWhile it is our goal to resolve the vulnerabilities reported to us in responsible timeframe, the vulnerabilities initially disclosed publicly or to a third party without our consent may not be eligible for rewards.\n\n## Safe Harbor\n\nAmazon will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.\n\nAs long as you comply with this policy:\n\n* We consider your security research to be \"authorized\" under the Computer Fraud and Abuse Act.\n* We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.\n\nAmazon cannot authorize any activity on third-party products or technology (including any third-party technology that is included in, or that interoperates with, Amazon products) or guarantee that third parties won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties or their technology.\n\nDon’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.\nTo protect your privacy, we will not, unless served with legal process or to address a violation of this policy:\n\n* Share your PII with third parties.\n* Share your HackerOne points, or participation without your permission.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-28T19:27:52.712Z"}]